| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Devrim GUNDUZ <devrim(at)tr(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL Password Cracker |
| Date: | 2002-12-31 18:04:13 |
| Message-ID: | 1331.1041357853@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Devrim GUNDUZ <devrim(at)tr(dot)net> writes:
> I had no time to search throug the code; but as far as I understood, it
> *attacks* the database servers with TCP/IP on, right?
No, the program itself simply takes an MD5 hash value and does a
brute-force search for a password that generates that MD5 string.
The comments at the top suggest sniffing a Postgres session startup
exchange in order to see the MD5 value that the user presents; which the
attacker would then give to this program. (Forget it if the session is
Unix-local rather than TCP, or if it's SSL-encrypted...)
This is certainly a theoretically possible attack against someone who
has no clue about security, but I don't put any stock in it as a
practical attack. For starters, if you are talking to your database
across a network that is open to hostile sniffers, you should definitely
be using SSL.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-12-31 18:04:43 | Re: Bug in Dependencies Code in 7.3.x? |
| Previous Message | Bruce Momjian | 2002-12-31 17:51:02 | Re: PostgreSQL Password Cracker |