| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "John DeSoi" <desoi(at)pgedit(dot)com>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Postgres help (E-mail)" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: EMBEDDED PostgreSQL |
| Date: | 2005-01-26 08:08:00 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE476706@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> > Sorry, but any Windows user who thinks he doesn't need security
> > measures equivalent to (not "beyond") minimum Unix practice
> is a dummy
> > about security. Take a look at this LOAD vulnerability
> we're in the
> > midst of patching, and ask yourself whether you aren't glad that it
> > can't be used to get admin privileges on your Windows box.
>
> So a vulnerability exists on Windows even if PostgreSQL is
> only accepting local connections?
No. You need an *authenticated* connection to the database. If your web
interface is open to SQL Injection, you can get in thruogh that, but
else you need some kind of account and connecting permissions to the
database server.
pg_hba also protects you even if you allow connections elsewhere.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2005-01-26 08:11:10 | Re: EMBEDDED PostgreSQL |
| Previous Message | Jeff Davis | 2005-01-26 08:01:36 | Re: text field constraint advice |