oss-sec mailing list archives
Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
From: Robert Haas <robertmhaas () gmail com>
Date: Fri, 30 Mar 2012 11:27:29 -0400
On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel () suse de> wrote:
Postgresql 9.1 turned "standard conforming strings" on by default[1][2]. postgresql-jdbc before version 8.2-504 however did not know about that kind of string and escaped single quotes with a backslash always. When such an old version of postgresql-jdbc is used with a newer postgresql server it not only breaks when strings contain single quotes, it also allows for SQL injections[3]. The bug is neither in postgresql-jdbc as it was working correctly at the time it was released, nor is it really postgresql 9.1's fault which I guess doesn't expect and can't detect such an old jdbc adapter. The security issue arises when mixing the old adapter and the new server.
Right. This issue has been previously reported to pgsql-security. The position of the pgsql-jdbc project is that a client version should be used with a matching server version; therefore, the project views the proposed combination as an unsupported configuration. Moreover, PostgreSQL 8.2.x and postgresql-jdbc-8.2-x were desupported in general as of December 2011. The end of life dates for each major release are documented on our web site[1], and the pgsql-jdbc download site[2] clearly identifies this version of the driver as an "archived version" rather than a "supported version". As a rule, bug fix and security updates are not released for versions which are no longer supported; users are advised to update to a supported version. Users of pgsql-jdbc are further advised to use a major version that matches the PostgreSQL server to which they are connecting. [1] http://www.postgresql.org/support/versioning/ [2] http://jdbc.postgresql.org/download.html -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Current thread:
- postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Ludwig Nussel (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)
- Re: postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Florian Weimer (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)