> A recent article about an Oracle worm: > http://www.eweek.com/article2/0,1895,1880648,00.asp > got me wondering. > Could a worm like this infect a PostgreSQL installation? > It seems to depend on default usernames and passwords - and > lazy DBAs, IMO. > Isn't it true that PostgreSQL doesn't have any default user/password? That's true. however, PostgreSQL ships by default with access mode set to "trust", which means you don't *need* a password. And I bet you'll find the user being either "postgres" or "pgsql" in 99+% of all installations. We do, however, ship with network access disabled by default. Which means a worm can't get to it, until you enable that. But if you enable network access, and don't change it from "trust" to something else (such as md5), then you're wide open to this kind of entry. (Just create an untrusted PL and hack away - assuming those binaries are inthere, but I bet they are in most installations) //Magnus
