oss-sec mailing list archives
Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Wed, 04 Apr 2012 10:26:34 +0200
Robert Haas wrote:
On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel () suse de> wrote:Postgresql 9.1 turned "standard conforming strings" on by default[1][2]. postgresql-jdbc before version 8.2-504 however did not know about that kind of string and escaped single quotes with a backslash always. When such an old version of postgresql-jdbc is used with a newer postgresql server it not only breaks when strings contain single quotes, it also allows for SQL injections[3]. The bug is neither in postgresql-jdbc as it was working correctly at the time it was released, nor is it really postgresql 9.1's fault which I guess doesn't expect and can't detect such an old jdbc adapter. The security issue arises when mixing the old adapter and the new server.Right. This issue has been previously reported to pgsql-security. The position of the pgsql-jdbc project is that a client version should be used with a matching server version; therefore, the project views the proposed combination as an unsupported configuration.
Sure, no doubt about that. The postgresql-jdbc package should have been updated a long time ago but obviously was forgotten. If we had updated it a year ago we'd have created a normal version update due to EOL of the old package with no security context at all. Now that it's known that the unsupported combination of versions allows for SQL injection however the update suddenly becomes security relevant. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Current thread:
- Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Ludwig Nussel (Apr 04)