Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1

[Robert Haas <robertmhaas () gmail com>]

On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel () suse de> wrote:
> Postgresql 9.1 turned "standard conforming strings" on by default[1][2].
> postgresql-jdbc before version 8.2-504 however did not know about that
> kind of string and escaped single quotes with a backslash always. When
> such an old version of postgresql-jdbc is used with a newer postgresql
> server it not only breaks when strings contain single quotes, it also
> allows for SQL injections[3].
> The bug is neither in postgresql-jdbc as it was working correctly at the
> time it was released, nor is it really postgresql 9.1's fault which I
> guess doesn't expect and can't detect such an old jdbc adapter. The
> security issue arises when mixing the old adapter and the new server.

Right.  This issue has been previously reported to pgsql-security.
The position of the pgsql-jdbc project is that a client version should
be used with a matching server version; therefore, the project views
the proposed combination as an unsupported configuration.  Moreover,
PostgreSQL 8.2.x and postgresql-jdbc-8.2-x were desupported in general
as of December 2011.  The end of life dates for each major release are
documented on our web site[1], and the pgsql-jdbc download site[2]
clearly identifies this version of the driver as an "archived version"
rather than a "supported version".  As a rule, bug fix and security
updates are not released for versions which are no longer supported;
users are advised to update to a supported version.  Users of
pgsql-jdbc are further advised to use a major version that matches the
PostgreSQL server to which they are connecting.

[1] http://www.postgresql.org/support/versioning/
[2] http://jdbc.postgresql.org/download.html

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company