Home > mailing lists

Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL - Mailing list pgsql-hackers

From	Chris Humphries
Subject	Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Date	August 26, 2002 14:33:18
Msg-id	15722.22143.470646.377742@metalico.drauku.net Whole thread Raw
In response to	Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL (Lamar Owen <lamar.owen@wgcr.org>)
List	pgsql-hackers

Tree view

so basically if you are an idiot admin, and leave the postgresql box
open (explicitly opening stuff), and under certian conditions, you can
get DoS'd? hrm, this may not be your biggest problem.

maybe if the dba has a clue and only explicitly allows certian ips
to even route to the box, and then certian users (1 or 2 or so) that
is not available to the public (ie, internet), they would be better off.
i would be that with the lazy/ignorant setup of the dba/admin, that a 
DoS of postgresql is not the biggest problem, sure one of their redhat
boxes has gotten rooted already...

there is nothing that is more important for security and databases than
setting them up correctly, and their place on the network. the database
is the crown jewel that should never been seen or touched except for when
_absolutely_ needed, and that must be under heavy control. 

there is a bigger problem here than postgresql, it is the dumbass factor
of people that try to run a db, and are vuln to anything... and then complain
about it... i find this very annoying. 

know what you are doing, or stfu is my opinion

-chris

ps -> note this was not directed at any one person, but to the mass of      people that never should run a db, and go
backto eating paint chips.
 
-----
disclaimer: i do not speak on behalf of devis (devis.com). i speak           on my own behalf. 
-----

</rant-mode>


Lamar Owen writes:> On Monday 26 August 2002 10:46 am, Sir Mordred The Traitor wrote:> > Conditions: entry in a
pg_hba.conffile that matches attacker's host.> > Risk: average> > > --[ Solution> >> > Disable network access for
untrustedusers.> > TCP/IP access must be enabled as well.  TCP/IP accessibility is OFF by > default.> > I for one
thoughtthat it was normal operating procedure to only allow access > to trusted machines; maybe I'm odd in that
regard.>> Hey, if I can connect to postmaster I can DoS it quite easily, but flooding it > with connection
requests.....>> But, if we can thwart this, all the better.> -- > Lamar Owen> WGCR Internet Radio> 1 Peter 4:11> >
---------------------------(endof broadcast)---------------------------> TIP 3: if posting/reading through Usenet,
pleasesend an appropriate> subscribe-nomail command to majordomo@postgresql.org so that your> message can get through
tothe mailing list cleanly
 

-- 
Chris Humphries
Development InfoStructure
540.366.9809

pgsql-hackers by date:

From: "Mario Weilguni"
Date: 26 August 2002, 14:31:43
Subject: Re: Deadlock situation using foreign keys (reproduceable)

From: Stephan Szabo
Date: 26 August 2002, 14:33:23
Subject: Re: Deadlock situation using foreign keys (reproduceable)

Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL - Mailing list pgsql-hackers

Previous

Next