Talk About Network

Google


Register and Login
Nick
Password
Register create new account Sign up is FREE and you can post replies, new topics, bookmark posts and more!
Recover lost password


Data Bases > Pgsql Interfaces Pgadmin Support > pgadmin securit...
Latest [ Topics | Posts ] Archive Post A New Topic Post a Reply
<< Topic < Post Post 1 of 3 Topic 2006 of 2083
 Post > Topic >>

pgadmin security issue

by suren@[EMAIL PROTECTED] ("Suren Manatunga") Apr 23, 2008 at 03:56 PM

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C8A55A.8B7D1810
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi,

(pgadmin 1.8.2 )

PROBLEM 1

Even though we can restrict a user for couple of databases , the user can
disconnect from the current  session and edit the connection properties

SO this means he could remove the DB restriction field " datname IN
('live_db', 'test_db') "  and reconnect and see all the other databases

 

I recommend setting up a admin account at the time of installing pgadmin
and
only by login in to the admin account of pgadmin should be able to create,
edit and view connection properties

 

PROBLEM 2

When making a connection to the DB server with pgadmin if u use a valid db
name and a valid user login name

Then pgadmin will allow access to the database with out checking the
password

I mean if I type a wrong password BUT if the user account and the database
is valid I will still be able to access the database

 

I'm new to postgres so I'm not sure if this is a real bug or if this is a
feature , Please update me ASAP

Thanks

Suren


-- 
This message has been scanned for viruses and
dangerous content by (RamaDBK) MailScanner, and is
believed to be clean.


------=_NextPart_000_0000_01C8A55A.8B7D1810
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office"
xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word"
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @[EMAIL PROTECTED]
"MS Mincho";
	panose-1:2 2 6 9 4 2 5 8 3 4;}
@[EMAIL PROTECTED]
"MS Mincho";
	panose-1:2 2 6 9 4 2 5 8 3 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@[EMAIL PROTECTED]
 Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>Hi,<o:p></o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>(pgadmin 1.8.2
)<o:p></o:p></span></fo=
nt></i></p>

<p class=3DMsoNormal><b><i><font size=3D2 face=3DArial><span
style=3D'font-=
size:11.0pt;
font-family:Arial;font-weight:bold;font-style:italic'>PROBLEM
1<o:p></o:p><=
/span></font></i></b></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>Even though we can restrict a user
for
couple of databases , the user can disconnect from the current
&nbsp;session
and edit the connection properties<o:p></o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>SO this means he could remove the
</sp=
an></font></i><font
size=3D2 face=3DArial><span
style=3D'font-size:11.0pt;font-family:Arial'>DB
restriction field<i><span style=3D'font-style:italic'> &#8220; datname IN
('live_db', 'test_db') &#8220;&nbsp; and reconnect and see all the other
databases<o:p></o:p></span></i></span></font></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'><o:p>&nbsp;</o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>I recommend setting up a admin
account=
 at
the time of installing pgadmin and only by login in to the admin account
of
pgadmin should be able to create, edit and view connection
properties<o:p><=
/o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'><o:p>&nbsp;</o:p></span></font></i></p>

<p class=3DMsoNormal><b><i><font size=3D2 face=3DArial><span
style=3D'font-=
size:11.0pt;
font-family:Arial;font-weight:bold;font-style:italic'>PROBLEM
2<o:p></o:p><=
/span></font></i></b></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>When making a connection to the DB
ser=
ver
with pgadmin if u use a valid db name and a valid user login
name<o:p></o:p=
></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>Then pgadmin will allow access to the
database with out checking the password<o:p></o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>I mean if I type a wrong password BUT
=
if
the user account and the database is valid I will still be able to access
t=
he
database<o:p></o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'><o:p>&nbsp;</o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>I&#8217;m new to postgres so
I&#8217;m=
 not
sure if this is a real bug or if this is a feature , Please update me
ASAP<=
o:p></o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>Thanks<o:p></o:p></span></font></i></p>

<p class=3DMsoNormal><i><font size=3D2 face=3DArial><span
style=3D'font-siz=
e:11.0pt;
font-family:Arial;font-style:italic'>Suren<o:p></o:p></span></font></i></p>

</div>

</body>

<br />--=20
<br />This message has been scanned for viruses and
<br />dangerous content by <b>(RamaDBK - MailScanner)</b>,
<br />and is believed to be clean.
</html>

------=_NextPart_000_0000_01C8A55A.8B7D1810--




 3 Posts in Topic:
pgadmin security issue
 suren@[EMAIL PROTECTED]   2008-04-23 15:56:08 
Re: pgadmin security issue
 julius@[EMAIL PROTECTED]   2008-04-23 10:11:56 
Re: pgadmin security issue
 dpage@[EMAIL PROTECTED]   2008-04-23 08:50:44 

Post A Reply:
  Go here to Signup

AddThis Feed Button


About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
Contact
tan13V112 Thu Jul 24 7:16:42 CDT 2008.