FW: iDefense Q2 2006 Vulnerability Challenge
For those that haven't already seen it, this might give some extra
exposure to PostgreSQL wrt vulnerability research. Though I think nobody
will have a chance to find one (I just don't see how you could possibly
get root through postgresql, since we refuse to run as root), other
things might be exposed by someone who's poking around.
//Magnus
Show quoted text
-----Original Message-----
From: labs-no-reply@idefense.com [mailto:labs-no-reply@idefense.com]
Sent: Wednesday, May 17, 2006 7:15 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
full-disclosure@lists.grok.org.uk
Subject: iDefense Q2 2006 Vulnerability ChallengeiDefense Labs is pleased to announce the launch of next
installment in our quarterly vulnerability challenge. Last
quarter's challenge focused on critical vulnerabilities in
Microsoft products and was a great success. We would like to
thank everyone that forwarded submissions prior to the
deadline on March 31, 2006. We look forward to announcing
award winners once public advisories become available for the
vulnerabilities.For the second quarter of 2006, we're shifting the focus from
vendor to technology. This time around, we're focusing on
database vulnerabilities. For submissions received before
June 30, 2006, iDefense Labs will pay $10,000 for each
vulnerability submission that results in the discovery of a
remotely exploitable database vulnerability that meets the
following criteria.- Technologies:
- Oracle Database 10G
- Microsoft SQL Server 2005
- IBM DB Universal Database 8.2
- MySQL 5.0
- PostgreSQL 8.1
- The vulnerability must be original and not previously
disclosed either
publicly or to the vendor by another party
- The vulnerability must be remotely exploitable in a default
installation of one of the targeted technologies
- The vulnerability must exist in the latest version of the affected
technology with all current patches/upgrades applied
- The vulnerability cannot be caused by or require third
party software
- The vulnerability must result in root access on the target machine
- The vulnerability must not require the use of authentication
credentials
- The vulnerability must receive the vendor's maximum severity ranking
when the advisory is published (if applicable).In order to qualify, the submission must be sent during the
current quarter and be received by midnight EST on June 30,
2006. The $10,000 prizes will be paid out following
confirmation with the affected vendor and will be paid in
addition to any amount paid for the vulnerability when it is
first accepted. Only the initial submission for a given
vulnerability will qualify for the reward and a maximum of
six awards will be paid out. Should more than six submissions
qualify, the first six submissions will receive the reward.Further details on the iDefense Vulnerability Contributor
Program (VCP) can be found at:http://labs.idefense.com/vcp.php
Michael Sutton
Director, iDefense Labs
"Magnus Hagander" <mha@sollentuna.net> writes:
For those that haven't already seen it, this might give some extra
exposure to PostgreSQL wrt vulnerability research. Though I think nobody
will have a chance to find one (I just don't see how you could possibly
get root through postgresql, since we refuse to run as root), other
things might be exposed by someone who's poking around.
Yeah, I think they've really done the database community a disservice by
defining interesting exploits as being only those resulting in root.
An exploit that lets you get database superuser privs would be the
appropriate criterion here, IMHO.
regards, tom lane
On Sunday 21 May 2006 18:43, Tom Lane wrote:
"Magnus Hagander" <mha@sollentuna.net> writes:
For those that haven't already seen it, this might give some extra
exposure to PostgreSQL wrt vulnerability research. Though I think nobody
will have a chance to find one (I just don't see how you could possibly
get root through postgresql, since we refuse to run as root), other
things might be exposed by someone who's poking around.Yeah, I think they've really done the database community a disservice by
defining interesting exploits as being only those resulting in root.
An exploit that lets you get database superuser privs would be the
appropriate criterion here, IMHO.
Agreed, although with some other databases, root level exploits are certainly
a possibiliy. OTOH maybe someone should email them and see if we can
convince them to donate $10,000 to the foundation if no root vulnerabilities
are found... :-)
--
Robert Treat
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL