| From: | Þórhallur Hálfdánarson <tolli(at)tol(dot)li> |
|---|---|
| To: | Lamar Owen <lamar(dot)owen(at)wgcr(dot)org> |
| Cc: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL |
| Date: | 2002-08-26 15:27:57 |
| Message-ID: | 20020826152757.T4059@tol.li |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
-*- Lamar Owen <lamar(dot)owen(at)wgcr(dot)org> [ 2002-08-26 15:19 ]:
> TCP/IP access must be enabled as well. TCP/IP accessibility is OFF by
> default.
>
> I for one thought that it was normal operating procedure to only allow access
> to trusted machines; maybe I'm odd in that regard.
>
> Hey, if I can connect to postmaster I can DoS it quite easily, but flooding it
> with connection requests.....
>
> But, if we can thwart this, all the better.
Well, ISP's that offer webhosting and database connectivity might also be running a PostgreSQL server that only allows connections from that specific webserver (TCP port 5432 access not blocked as well as an pg_hba.conf entry). Now, if a user with access to the webserver has privileges to open a socket connection, he could exploit this.
--
Regards,
Tolli
tolli(at)tol(dot)li
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Szabo | 2002-08-26 15:29:09 | Re: Deadlock situation using foreign keys (reproduceable) |
| Previous Message | Sir Mordred The Traitor | 2002-08-26 15:25:18 | Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL |