User: Password:
|
|
Subscribe / Log in / New account

postgresql: SQL injection

Package(s):postgresql CVE #(s):CVE-2006-2313 CVE-2006-2314
Created:May 24, 2006 Updated:June 6, 2007
Description: The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash.
Alerts:
Fedora FEDORA-2007-0249 php-pear-DB 2007-06-06
Trustix TSLSA-2006-0059 postgresql 2006-10-27
Gentoo 200607-04 postgresql 2006-07-09
SuSE SUSE-SA:2006:030 postgresql 2006-06-09
Ubuntu USN-288-3 dovecot, exim4, postfix 2006-06-09
Ubuntu USN-288-2 postgresql-8.1 2006-06-09
Mandriva MDKSA-2006:098 postgresql 2006-06-07
Debian DSA-1087-1 postgresql 2006-06-03
Ubuntu USN-288-1 postgresql 2006-05-29
rPath rPSA-2006-0080-1 postgresql 2006-05-24
Red Hat RHSA-2006:0526-02 postgresql 2006-05-23
Fedora FEDORA-2006-578 postgresql 2006-05-23
Fedora FEDORA-2006-579 postgresql 2006-05-23

(Log in to post comments)

postgresql: SQL injection

Posted Jun 1, 2006 13:03 UTC (Thu) by kingdon (guest, #4526) [Link]

The http://www.postgresql.org/docs/techdocs.50
article consistently refers to 0xA0-0xFF when they mean
0x80-0xBF (the valid values for a non-initial octet of a
UTF-8 character). See RFC3629 (which also has general
good advice about how to handle UTF-8 and subtle security
problems which can happen).

Anyone know how to tell them? It wasn't immediately apparent.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds