Postgres Pro
Downloads
Home   >   mailing lists

pgadmin security issue - Mailing list pgadmin-support

From Suren Manatunga
Subject pgadmin security issue
Date
Msg-id DB77B0B74574481A93E2B988B33CC9E2@ramanet.com
Whole thread Raw
Responses Re: pgadmin security issue
List pgadmin-support
Tree view 
<div class="Section1"><p class="MsoNormal"><i><font face="Arial" size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic">Hi,</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">(pgadmin 1.8.2 )</span></font></i><p class="MsoNormal"><b><i><font face="Arial"
size="2"><spanstyle="font-size:11.0pt; 
font-family:Arial;font-weight:bold;font-style:italic">PROBLEM 1</span></font></i></b><p class="MsoNormal"><i><font
face="Arial"size="2"><span style="font-size:11.0pt; 
font-family:Arial;font-style:italic">Even though we can restrict a user for couple of databases , the user can
disconnectfrom the current  session and edit the connection properties</span></font></i><p class="MsoNormal"><i><font
face="Arial"size="2"><span style="font-size:11.0pt; 
font-family:Arial;font-style:italic">SO this means he could remove the </span></font></i><font face="Arial"
size="2"><spanstyle="font-size:11.0pt;font-family:Arial">DB restriction field<i><span style="font-style:italic"> “
datnameIN ('live_db', 'test_db') “  and reconnect and see all the other databases</span></i></span></font><p
class="MsoNormal"><i><fontface="Arial" size="2"><span style="font-size:11.0pt; 
font-family:Arial;font-style:italic"> </span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">I recommend setting up a admin account at the time of installing pgadmin and only
bylogin in to the admin account of pgadmin should be able to create, edit and view connection
properties</span></font></i><pclass="MsoNormal"><i><font face="Arial" size="2"><span style="font-size:11.0pt; 
font-family:Arial;font-style:italic"> </span></font></i><p class="MsoNormal"><b><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-weight:bold;font-style:italic">PROBLEM 2</span></font></i></b><p class="MsoNormal"><i><font
face="Arial"size="2"><span style="font-size:11.0pt; 
font-family:Arial;font-style:italic">When making a connection to the DB server with pgadmin if u use a valid db name
anda valid user login name</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">Then pgadmin will allow access to the database with out checking the
password</span></font></i><pclass="MsoNormal"><i><font face="Arial" size="2"><span style="font-size:11.0pt; 
font-family:Arial;font-style:italic">I mean if I type a wrong password BUT if the user account and the database is
validI will still be able to access the database</span></font></i><p class="MsoNormal"><i><font face="Arial"
size="2"><spanstyle="font-size:11.0pt; 
font-family:Arial;font-style:italic"> </span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">I’m new to postgres so I’m not sure if this is a real bug or if this is a feature
,Please update me ASAP</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">Thanks</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">Suren</span></font></i></div><br />-- <br />This message has been scanned for
virusesand <br />dangerous content by <b>(RamaDBK - MailScanner)</b>, <br />and is believed to be clean.

pgadmin-support by date:

Previous
From: Charlie Clark
Date:
Subject: Re: Postgres & pgAdmin help
Next
From: Julius Tuskenis
Date:
Subject: Re: pgadmin security issue