search

CATProtocol / cat-token-box

A monorepo for packages implementing CAT protocol
https://catprotocol.org
MIT License
154 stars 100 forks source link

Postgres wide open to the public Internet with "postgres" as the password. #49

Open damianharouff opened 6 days ago

damianharouff commented 6 days ago

The postgres container is open to the public Internet with default username and password of "postgres".

This is the default env file that is used for it:

DATABASE_TYPE=postgres
DATABASE_HOST=127.0.0.1
DATABASE_PORT=5432
DATABASE_DB=postgres
DATABASE_USERNAME=postgres
DATABASE_PASSWORD=postgres

Even though postgres is running on 127.0.0.1 inside the container, docker exposes the port publicly. And in combination with postgres:postgres as the username and pass, you can assume what is gonna happen.

Furthermore, I'm sure there's an expectation of changing the username and password, but with people blindly copy and pasting instructions without understanding what they're doing, it's getting left as postgres:postgres.

We've been getting hammered with endless notices that customer servers are compromised by attackers.

Everyone who runs this is at risk of losing everything, because it's wide open to any adversary.

xz888888 commented 5 days ago

Could you explain a bit how attackers can access the DB from outside? I don't understand the statement "docker exposes the port publicly". If my router doesn't expose port 5432, how does outside access this port?

damianharouff commented 5 days ago

People are installing it on servers connected to the public Internet.

xz888888 commented 4 days ago

People are installing it on servers connected to the public Internet.

A server that's not behind any kind of router/firewall ? That's like waiting for disasters to happen.

damianharouff commented 4 days ago

And yet the only disaster that ever happens is when obviously insecure passwords are used. My favorite is @123 at the end of a common word. Brute forcers will definitely never try that!