Geek Answers Handbook

Postgres accepts any password

I have the following code that connects to the database on my remote server (the script connection is on the same server):

Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);

The problem is that I can change the password to be something at all, and the connection is still done! How seriously, what the hell!?!

Can my database be connected (if you know the IP name and db) by someone from a PHP script running on another server?

How can I apply passwords, I looked at the next page and did what they said, but still no luck: How to change the password of a PostgreSQL user?

I am running Ubuntu 12.04 server with PHP 5.5 and Apache2

+8
postgresql
source share
1 answer

Remember that your postgresql database can only be correctly configured to connect authenticated users, even certain users (Roles in Postgres) from specific IP addresses / sockets.

Some considerations:

  • Do you see the data? Or can you just connect to the server? Can you list the databases?

  • Take a look at pg_hba.conf and configure the correct permissions for each role on each database on the source

  • Did you mydatabase access to everyone? What roles did you provide access to?

  • Does the database have its tables in a public schema? And granted access to the public?

  • Yes, with this configuration, anyone who knows your IP name and database can connect to your database.

+9
source share

More articles:


All Articles