Security
SQL injection vulnerabilities in PostgreSQL
A recent urgent update to PostgreSQL vividly demonstrates the problems with validating user input that are the foundation of SQL injection attacks. Widely used techniques to escape characters in user input can still allow SQL injection when coupled with multibyte character encodings. While this problem was first discovered in PostgreSQL, today's security fix announcement for MySQL indicates a similar problem there as well.
As discussed in the LWN SQL injection article, inserting strings of user input into SQL queries can be hazardous. Many applications do little or no validation of strings entered by a user before dropping them into a query; this negligence can lead to a compromise of the entire database. Better behaved programs attempt to escape various troublesome characters (typically single-quote and backslash), but because of the multibyte-encoding problem, problems can remain.
It is not just database clients that need to validate user input, the database server needs to validate as well as the first bug shows. PostgreSQL allows the "\'" (backslash + single-quote) sequence to be used to represent a single-quote character in a query as well as the two single-quote character sequence ("''") that is the SQL standard. Unfortunately, the escaping code used by database clients often ignores the character encoding and just looks for bytes with a 0x27 ("'") value and replaces them with an escaped version. The security hole comes about because illegal multibyte character sequences can be used to enable quotes to slip past the escaping process. An example provided in the technical information describes how this can be done.
In the UTF8 encoding, the byte value 0xc8 introduces a two-byte character; the second byte must be within the range 0xa0-0xff. However, PostgreSQL would accept any value for the second byte and treat both bytes as a single character. A malicious user could enter "0xc8'text", which would be converted by the well meaning client to "0xc8''text" (or "0xc8\'text"); the server would then treat the 0xc8' or 0xc8\ sequence as a single character, leaving an unescaped single-quote in the input, effectively injecting the attacker-supplied text.
The second issue stems from certain far-eastern encodings where the value 0x5c ("\") is a valid value for the second byte of a two-byte character. In the SJIS encoding for example, the two-byte sequence 0x95 0x5c is a valid character, but a client that is not encoding-aware may try to escape the 'backslash' that it sees by doubling it. Adding single-quotes into the mix provides a means for a SQL injection. "0x95 0x5c'text" could become "0x95 0x5c\''text", which effectively inserts an unescaped single-quote into the query. It is interesting to note that 0x27 ("'") is not a valid value for the second byte of a two-byte character and, if PostgreSQL had rigidly adhered to the SQL standard and only accepted "''" to escape single-quotes, this issue would not exist.
There is a straightforward fix for the first problem: do not accept illegal multibyte character sequences and refuse to process queries that contain them. Unfortunately, the second problem is more complicated and there is no single simple fix on the database server side. If database clients did their escaping in an encoding aware manner, this problem would not exist; expecting this from all clients is hopeless, however. The PostgreSQL developers chose to disallow "\'" for any encoding that allows embedded 0x5c characters. This closes the hole for all clients that use "''" to escape single-quotes but still allows for injections for clients that use "\'". This change is likely to break those clients altogether, however.
Both of these problems could have been avoided by using prepared statements with placeholders (i.e. 'SELECT * FROM tbl WHERE id=?'). Even if the libraries did not implement the quoting correctly, the SQL engine would still not allow the parameter to be treated as anything but data for that particular spot in the query, thereby avoiding the injection. Another way to avoid this kind of problem is to use stored procedures. As these bugs show, it can be very difficult to appropriately filter and/or validate user input.
New vulnerabilities
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2006-2362 | ||||||||||||
| Created: | May 27, 2006 | Updated: | August 29, 2006 | ||||||||||||
| Description: | The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cherrypy: information disclosure
| Package(s): | cherrypy | CVE #(s): | CVE-2006-0847 | ||||
| Created: | May 31, 2006 | Updated: | May 31, 2006 | ||||
| Description: | The CherryPy web development framework (prior to version 2.1.1) has a directory traversal vulnerability which could lead to undesired information disclosure. | ||||||
| Alerts: |
| ||||||
dovecot: information disclosure
| Package(s): | dovecot | CVE #(s): | CVE-2006-2414 | ||||||||
| Created: | May 31, 2006 | Updated: | June 14, 2006 | ||||||||
| Description: | The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes. | ||||||||||
| Alerts: |
| ||||||||||
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick | CVE #(s): | CVE-2006-2440 | ||||||||||||
| Created: | May 25, 2006 | Updated: | September 5, 2006 | ||||||||||||
| Description: | The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: netfilter memory corruption
| Package(s): | kernel | CVE #(s): | CVE-2006-2444 | ||||||||||||||||
| Created: | May 25, 2006 | Updated: | July 5, 2006 | ||||||||||||||||
| Description: | The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2006-1343 | ||||||||||||||||||||||||
| Created: | May 31, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||||||||
| Description: | The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CVE-2006-2656 | ||||||||||||||||||||
| Created: | May 26, 2006 | Updated: | June 8, 2006 | ||||||||||||||||||||
| Description: | The tiffsplit command has a problem in the way that it handles fixed-size buffers, a stack overflow can result. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
lynx: denial of service
| Package(s): | lynx | CVE #(s): | CVE-2004-1617 | ||||||||||||
| Created: | May 26, 2006 | Updated: | June 1, 2006 | ||||||||||||
| Description: | The lynx text-mode web browser has a problem understanding invalid html involving the TEXTAREA tag. An infinite loop can happen, resulting in a denial of service. | ||||||||||||||
| Alerts: |
| ||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2006-1990 CVE-2006-1991 CVE-2006-3017 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 25, 2006 | Updated: | August 18, 2006 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service. A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils | CVE #(s): | CVE-2006-1174 | ||||||||||||||||||||
| Created: | May 25, 2006 | Updated: | June 12, 2007 | ||||||||||||||||||||
| Description: | The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
tiff: denial of service
| Package(s): | tiff | CVE #(s): | CVE-2006-2120 | ||||
| Created: | May 27, 2006 | Updated: | May 31, 2006 | ||||
| Description: | The tiff image library is vulnerable to a denial of service attack. Images with specially crafted Yr/Yg/Yb values that exceed the YCR/YCG/YCB values can cause a crash of the associated application. | ||||||
| Alerts: |
| ||||||
typespeed: buffer overflow
| Package(s): | typespeed | CVE #(s): | CVE-2006-1515 | ||||||||
| Created: | May 31, 2006 | Updated: | June 19, 2006 | ||||||||
| Description: | The typespeed game has a buffer overflow in its network data processing code which could possibly be exploited to execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
vixie-cron: privilege escalation
| Package(s): | cron | CVE #(s): | CVE-2006-2607 | ||||||||||||||||||||
| Created: | May 31, 2006 | Updated: | June 1, 2009 | ||||||||||||||||||||
| Description: | The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>