| VID |
25007 |
| Severity |
40 |
| Port |
5432 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The PostgreSQL database is not set a password for 'postgres' or 'pgsql' user. It allows remote users to log into the database as the DB users and do whatever he wants to the data (deleting a database, adding bogus entries, ...).
* References:
http://cgi.nessus.org/plugins/dump.php3?id=10483 |
| Recommendation |
Log into the vulnerable host, and set a password for this user using the command ALTER USER (see the documentation on www.postgresql.org).
In addition to this, configure the file pg_hba.conf to require a password (or kerberos) authentication for all the remote hosts that have legitimate access to this database, such as the following:
host all 0.0.0.0 0.0.0.0 password
You can also require a password locally via UNIX domain sockets, by adding the line 'local all password' in this file. |
| Related URL |
CVE-1999-0508 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
