From: Martin M. <ma...@bu...> - 2003-09-25 11:29:44
|
El Jue 25 Sep 2003 00:58, David Smith escribi=F3: > Christopher Kings-Lynne wrote: > >>> I am using phpPgAdmin and PostgreSQL on Mac OS X 10.2.6 and found > >>> a security "conern." I have not quite finished setting up PgSQL and > >>> it does not load at boot. I occasionally forget to start it before > >>> I login to phpPgAdmin. Once I get the "Login Failed," I start the > >>> database. If I have left the page open while starting the database > >>> and refresh it when I come back without re-entering my password, my > >>> information has been retained and I am granted access. Not a big > >>> problem for me, but it might be for others. > > > > How is this a security problem? If you press Refresh, by definition > > your browser will resend the usernamd and password you entered??? > > If for example you login at the PPA login screen, but it fails because > the PG server is down. You leave the terminal to go start the PG server > (for some reason, you can't do it from the same terminal). While you are > gone, someone hits the browser refresh. They are logged in while you are > away and have access to the PG server. It would be a hand-hold to fix > it, but probably worth it considering how easy it would be. Security doesn't consern stupidity. If you are gone from your WS you should block the screen. In that case, I=20 could say that it's a security failure not to notice that it's me on the=20 seat, and not someone else. =2D-=20 08:27:01 up 34 days, 9 min, 1 user, load average: 0.24, 0.24, 0.23 =2D---------------------------------------------------------------- Mart=EDn Marqu=E9s | mma...@un... Programador, Administrador, DBA | Centro de Telematica Universidad Nacional del Litoral =2D---------------------------------------------------------------- |