Participants
PG Bug reporting form
PG Bug reporting form
Magnus Hagander
Magnus Hagander
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
May 13, 2020
#2Magnus HaganderMagnus Haganderto PG Bug reporting form (#1)
May 13, 2020

BUG #16433: Information disclosure via log file

Started by PG Bug reporting formalmost 6 years ago2 messagesbugs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following bug has been logged on the website:

Bug reference: 16433
Logged by: lokesh goyal
Email address: lovely.goyal1998@gmail.com
PostgreSQL version: 9.5.0
Operating system: website
Description:

Information disclosure is a critical bug because it contains the information
related to user name, mail_id , password or etc. And i got a log file which
contain the administrator mail_id, username or password and also it contain
a database details so it must be secure. Because it is very useful for
attacker to takeover any other users database without authentication.
Hope you check this log file.

Vulnerable link: This is the vulnerable link which disclose install.log file
which contain administrator details.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&uact=8&ved=2ahUKEwiz9bOPyrDpAhWMfn0KHQiECysQFjADegQIAxAB&url=https%3A%2F%2Fgroups.google.com%2Fgroup%2Fdataverse-community%2Fattach%2F5cbd71aaad706%2Finstall.log%3Fpart%3D0.2&usg=AOvVaw2zmOeHsbl07Gsvt2TXqDai

#2Magnus Hagander
Magnus Hagander
magnus@hagander.net
In reply to: PG Bug reporting form (#1)
Re: BUG #16433: Information disclosure via log file

On Wed, May 13, 2020 at 12:41 PM PG Bug reporting form <
noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference: 16433
Logged by: lokesh goyal
Email address: lovely.goyal1998@gmail.com
PostgreSQL version: 9.5.0
Operating system: website
Description:

Information disclosure is a critical bug because it contains the
information
related to user name, mail_id , password or etc. And i got a log file which
contain the administrator mail_id, username or password and also it contain
a database details so it must be secure. Because it is very useful for
attacker to takeover any other users database without authentication.
Hope you check this log file.

Vulnerable link: This is the vulnerable link which disclose install.log
file
which contain administrator details.

https://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=4&amp;cad=rja&amp;uact=8&amp;ved=2ahUKEwiz9bOPyrDpAhWMfn0KHQiECysQFjADegQIAxAB&amp;url=https%3A%2F%2Fgroups.google.com%2Fgroup%2Fdataverse-community%2Fattach%2F5cbd71aaad706%2Finstall.log%3Fpart%3D0.2&amp;usg=AOvVaw2zmOeHsbl07Gsvt2TXqDai

This log file is not from PostgreSQL. It appears to be from a product
called "dataverse", so you probably want to contact those people instead.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;

← Back to Topics