Home > mailing lists

BUG #8628: md5 security hole - Mailing list pgsql-bugs

From	rob@northleaf.com
Subject	BUG #8628: md5 security hole
Date	November 25, 2013 20:21:14
Msg-id	E1Vkcrp-0005Qb-6s@wrigleys.postgresql.org Whole thread Raw
Responses	Re: BUG #8628: md5 security hole (Francisco Olarte <folarte@peoplecall.com>) Re: BUG #8628: md5 security hole (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

The following bug has been logged on the website:

Bug reference:      8628
Logged by:          Robert Nichols0n
Email address:      rob@northleaf.com
PostgreSQL version: 9.3.1
Operating system:   Ubuntu Desktop 64 bit
Description:

I am able to login without a password when the password field is null. If
the field is not null the functionality seems normal, I get rejected unless
the password is correct.  This makes password based login ridiculous.  Is
this a bug or designed in? I login with my own code (Qt based) or with
pgAdmin III and I find the same bug. Is it not possible to require a
password at login?


My pg_hba.conf is:
# TYPE  DATABASE        USER            ADDRESS                 METHOD


# "local" is for Unix domain socket connections only
#local   all             all                                       md5
# IPv4 local connections:
hostssl    all             all             127.0.0.1/32            md5
# IPv6 local connections:
#host    all             all             ::1/128                 trust


Thank you.

pgsql-bugs by date:

From: Alexei Savchik
Date: 25 November 2013, 20:21:02
Subject: Fwd: BUG #8611: ECPG: unclosed comment "/*"

From: jonathan.camile@gmail.com
Date: 25 November 2013, 20:22:16
Subject: BUG #8629: Strange resultset when using CTE or a subselect

BUG #8628: md5 security hole - Mailing list pgsql-bugs

Previous

Next