Thread

  1. Servio Medina <smedina@idefense.com> — 2000-04-25T20:04:55Z

    Hello,
    
    The purpose of this email is twofold: 1) to inform you of a reported
    vulnerability by a third party, not myself,  involving one of your products,
    and 2) to obtain confirmation/clarification and knowledge of any measures
    taken to address this in the event it is viable. The report indicates that
    appropriate contact was made to your organization - I trust this is the
    case.
    
    Below is the report (snipped):
    
    --- Begin report ---
    -----Original Message-----
    From: Robert van der Meulen [mailto:rvdm@CISTRON.NL] 
    Sent: Sunday, April 23, 2000 4:03 PM
    To: BUGTRAQ@SECURITYFOCUS.COM
    Subject: Postgresql cleartext password storage
    
    
    Hi,
    
    While migrating some postgres databases to a different server (including
    user accounts) i noticed the following problem in the way postgres stores
    user passwords:
    
    SmellyCat:/var/postgres/data# strings pg_shadow
    someaccountname
    someaccountpassword
    anotheraccountname
    anotheraccountpassword
    SmellyCat:/var/postgres/data#
    
    This means postgresql stores usernames and passwords, cleartext, in
    pg_shadow.
    pg_shadow (and the other administrative tables) are owned by user postgres,
    and only readable by user postgres, although modifying them trough the pgsql
    monitor is usually protected by a password.
    
    The passwords being cleartext, and readable by user postgres (and root,
    ofcourse), allows bypassing the password mechanism, and gives access to all
    databases. (compromising user 'postgres' or reading the pg_shadow file gives
    access to the usernames/passwords)
    
    Ofcourse this came in handy for me, but i think it's not the way it should
    be :)
    I tested this on postgres versions 6.3.2 and 6.5.3 , others probably
    experience this problem as well.
    
    This message is mailed to bugtraq, and Cc'd to the postgresql developers.
    
    Greets,
    	Robert van der Meulen/Emphyrio
    
    --
    
    |      rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl        |
    |          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
    |         My statements are mine, and not necessarily cistron's.           |
    
    
    
    
    --- End report ---
    
    
    An explanation of my query - I work for Infrastructure Defense, Inc., which
    provides private publications to fortune 500 companies about
    information/computer security trends, vulnerabilities, etc. I strive to
    contact the appropriate parties whenever there is a question as to the
    veracity of a post, claim, other. Hence, my email to you.
    
    I hope to hear from you soon.
    
    
    Servio Medina - smedina@idefense.com
    Information Security Analyst
    www.idefense.com 
    
    
    
  2. Re:

    Tom Lane <tgl@sss.pgh.pa.us> — 2000-04-25T21:58:37Z

    Servio Medina <SMedina@iDefense.com> writes:
    > The passwords being cleartext, and readable by user postgres (and root,
    > ofcourse), allows bypassing the password mechanism, and gives access to all
    > databases. (compromising user 'postgres' or reading the pg_shadow file gives
    > access to the usernames/passwords)
    
    Not sure exactly what you think the vulnerability is.  Postgres and root
    can read all the databases anyway, so what matter whether they can read
    the passwords?
    
    Of course, if one also uses one's login password as a database password,
    it'd not be too cool, but cleartext storage of the passwords is far from
    the weakest link...
    
    			regards, tom lane