The Database Hacker's Handbook: Defending Database Servers by

Information Leakage from Compromised Resources

A number of ways exist to glean useful information from a compromised host or account:

• Psql is a terminal-based PostgreSQL client that uses libpq, the C API for PostgreSQL. libpq will attempt to read passwords from the .pgpass file if the connection requires a password and none has been specified. This file is stored in the user's home directory (%APPDATA%\postgresql\pgpass.conf on Windows systems). Interestingly, PostgreSQL verifies the .pgpass file permissions before using its data; if world or group have access to the file it is deemed insecure and ignored (this does not necessarily mean that the passwords in .pgpass are incorrect, though).
• The presence of a cron job that runs psql at scheduled intervals implies that the database's pg_hba.conf has been configured to allow trusted access from that host/username or that the .pgpass file contains valid credentials. Cron jobs can be listed by executing crontab –l.
• pgAdmin is a popular GUI query analyzer for Windows systems. It is currently installed with PostgreSQL 8.0 for Windows. pgAdmin stores server details in the registry at HKEY_CURRENT_USER\Software\pgAdmin III\Servers. pgAdmin does not save passwords.
• If a web server or development system is compromised, the attacker may be able to gain database credentials from an inspection of the source code (likewise if the web server/web application contains a vulnerability permitting source code disclosure). If the application is written ...