FS#4692 - Postgres SQL Injection Attack - ALST
Attached to Project:
Arch Linux
Opened by James Fryman (jfryman) - Wednesday, 24 May 2006, 11:28 GMT
Opened by James Fryman (jfryman) - Wednesday, 24 May 2006, 11:28 GMT
|
Details
Issue
===== Two vulnerabilities have been reported in PostgreSQL, which potentially can be exploited by malicious people to conduct SQL injection attacks. The vulnerabilities are caused due to the differences in the way PostgreSQL server and non-encoding aware applications interpret SQL query strings that contain certain multi-byte characters. A non-encoding aware application may insert escape characters into a malicious query string (e.g. to escape single-quote or backslash characters), without realizing that the escape characters will be interpreted as part of a multi-byte character sequence by the server. This can be exploited to conduct SQL injection attacks by injecting certain multi-byte characters into the query string. Successful exploitation allows bypassing of SQL injection escaping code that are implemented in non-encoding aware applications. Solution ======== Postgres 8.1.4 has been released to patch this vulnerability. It can be downloaded at: http://www.postgresql.org/download/ References ========== http://archives.postgresql.org/pgsql-announce/2006-05/msg00010.php |
This task depends upon
Closed by Judd Vinet (judd)
Wednesday, 24 May 2006, 16:45 GMT
Reason for closing: Fixed
Additional comments about closing: Upgraded
Wednesday, 24 May 2006, 16:45 GMT
Reason for closing: Fixed
Additional comments about closing: Upgraded