exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PostgreSQL-8.1.4.txt

PostgreSQL-8.1.4.txt
Posted May 26, 2006
Site postgresql.org

An attacker able to submit crafted strings to an application that will embed those strings in SQL commands can use invalidly-encoded multibyte characters to bypass standard string-escaping methods, resulting in possible injection of hostile SQL commands into the database. The attacks covered here work in any multibyte encoding. Affected versions: PostgreSQL 8.1.0-8.1.3, 8.0.0-8.0.7, 7.4.0-7.4.12, 7.3.0-7.3.14

tags | advisory
SHA-256 | 1f24512224697c2721795629e394e65c7d12647d4fe34a0ce2f1d81d2f134330

PostgreSQL-8.1.4.txt

Change Mirror Download
PostgreSQL versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15 have been released 
fixing two security issues.


Details of vulnerability 1
--------------------------
Vulnerability type: SQL Injection
Remotely exploitable: Depends on client

Affected versions: PostgreSQL 8.1.0-8.1.3, 8.0.0-8.0.7,
7.4.0-7.4.12, 7.3.0-7.3.14
Fixed versions: PostgreSQL 8.1.4, 8.0.8, 7.4.13, 7.3.15

Affected platforms: All

CVE: CVE-2006-2313
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2313)


Vulnerability description
-------------------------
An attacker able to submit crafted strings to an application that will
embed those strings in SQL commands can use invalidly-encoded multibyte
characters to bypass standard string-escaping methods, resulting in
possible injection of hostile SQL commands into the database. The
attacks covered here work in any multibyte encoding.


Details of vulnerability 2
--------------------------
Vulnerability type: SQL Injection
Remotely exploitable: Depends on client

Affected versions: PostgreSQL 8.1.0-8.1.3, 8.0.0-8.0.7,
7.4.0-7.4.12, 7.3.0-7.3.14
Fixed versions: PostgreSQL 8.1.4, 8.0.8, 7.4.13, 7.3.15

Affected platforms: All

CVE: CVE-2006-2314
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314)


Vulnerability description
-------------------------
The widely-used practice of escaping ASCII single quote "'" by turning
it into "\'" is unsafe when operating in multibyte encodings that allow
0x5c (ASCII code for backslash) as the trailing byte of a multibyte
character; this includes at least SJIS, BIG5, GBK, GB18030, and UHC. An
application that uses this conversion while embedding untrusted strings
in SQL commands is vulnerable to SQL-injection attacks if it
communicates with the server in one of these encodings. While the
standard client libraries used with PostgreSQL have escaped "'" in the
safe, SQL-standard way of "''" for some time, the older practice remains
common. As of PostgreSQL versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15, the
server has been modified to reject "\'" when the client is using one of
these encodings.
This does NOT in itself fix all variants of the problem, but it will
make it obvious that such a client is broken and in need of repair.


More information is available on the PostgreSQL website at
http://www.postgresql.org/docs/techdocs.52.



Solution
--------
Upgrade to version 8.1.4, 8.0.8, 7.4.13 or 7.3.15 respectively,
available from http://www.postgresql.org/ftp/ in both source and binary
formats.


Mitigating factors
------------------
* If client_encoding is a single-byte encoding (e.g., one of the
LATINx family), there is no vulnerability.

* If both client and server encoding is UTF8, there is no vulnerability.

* If application always sends untrusted strings as out-of-line
parameters, instead of embedding them into SQL commands, it is not
vulnerable. This is only available in PostgreSQL 7.4 or later.

* If application cannot pass invalidly encoded data to the server,
there is no vulnerability (this probably includes all Java and .Net
applications, for example, because of the platforms handling of
Unicode strings).


Workarounds
-----------
* Changing to a non-multibyte client_encoding will protect against
both vulnerabilities.

* Changing to UTF8 encoding and upgrading to a fixed version of
PostgreSQL will protect the system without client side changes.


Credits
-------
The PostgreSQL Global Development Group thanks Akio Ishida and Yasuo
Ohgaki for reporting these vulnerabilities.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close