They got access but connecting to another database:

We did not have pgcrypto installed in the peertube database, but I overlooked that someone could connect to the main postgres database if they say had a nodejs plugin running.

how? did they use the same database user account for all databases? unless I misunderstood it, peertube’s database user shouldn’t be able to operate in other databases of the same server.

VLAN’s suck. They allow for traffic to travel within each VLAN them, unmonitored and unrestricted. Sometimes red teamers call that “hard outside, soft inside, like an eggshell”.

nonsense. if you don’t use VLANs, you are essentially using a single huge VLAN. of course using VLANs don’t exclude monitoring and firewall restrictions. could as well say, networking sucks, lets disconnect everything. if you don’t set up monitoring, and you don’t set up restrictions, then yeah, there will be no monitoring and no restrictions, like on any network.

Better, is a private VLAN. Private VLAN’s enable the firewall to monitor or block all traffic within them.

didn’t you just say VLANs wholesale suck?

also, peertube will require access to the internet…

You just block everything within itself from communicating with eachother,

only if it was so simple. you can set up routing restrictions between subnets on the IP level, but the switch will gladly forward all traffic anywhere inside of the VLAN, according to the destination MAC address. with that, a compromised system can confuse every other on the VLAN with ARP poisoning and faking DHCP servers.

In all seriousness, you should be able to migrate them into the same database by dumping the database with pg_dump or a similar utility, and then loading them up using pg_restore. Other databases have equivalent tools. I used the Dbeaver open source database GUI to do this a few days ago.

yeah, that’s the easier part. but one of the databases is mysql, which I want to get rid of completely. and conversion is nontrivial. probably dbveaver could handle it though.