The worst bugs are the simplest bugs

Flask Data provides a one-stop cloud subscription for EDC, data management and statistics.

It is a truism of security that the worst vulnerabilities are usually the simplest – many  are configuration bugs or simple design flaws like leaving temp files world read.

Many Open Source projects such as Open Clinica use the excellent PostgreSQL database. You get 90% of Oracle at 10% of the weight and for free.   The problem with projects such as Open Clinica is that the end users are generally security innocents.

In the case of Postgres – the postmaster startup script in /etc/init.d uses the -i parameter by default. This parameter overrides the postgresql.conf and pg_hba.conf definitions. It’s actually well-documented but who reads documentation?

In other words – you think you’ve locked down the server for local connections only but in fact the server is listening to remote connections from anywhere and inviting dictionary attacks on the postgres user on port 5432. Of course – if you’re running a firewall and blocked everything but what you need – you’re ok.  OK – in the sense that you’re fat, dumb and happy since it’s always poor security practice to run unneeded services and if the firewall is mis-configured or changed for testing purposes – you will be someone’s lunch.

More here on this ridiculously simple Postgres Security vulnerability

Related Posts Plugin for WordPress, Blogger...

Flask Data is a technology company with a strong people focus. We are a diverse group of computer scientists and clinical operations specialists based in Israel, the US and India. We are accomplished at providing our customers with the most effective way to achieve high quality clinical data and assure patient safety. There is no single solution that works for every clinical trial. We work hard to understand your unique situation. We work with your team to develop the best solution to achieve high quality clinical data and assure patient safety the same day you engage with patients.

Flask Data – same data data and safety solutions for clinical trials.

Contact us to learn more

Tell your friends and colleagues about us. Thanks!
Share this

Leave a Reply