Participants
Glen Eustace
Glen Eustace
Doug McNaught
Doug McNaught
Michael Meskes
Michael Meskes
Attachments
Show all attachments
Thread Outline
#1Glen EustaceGlen Eustace
Aug 31, 2001
#2...#3
Doug McNaughtGlen Eustace
to Glen Eustace (#1)
Sep 01, 2001
#2Doug McNaughtDoug McNaughtto Glen Eustace (#1)
Sep 01, 2001
#3Glen EustaceGlen Eustaceto Doug McNaught (#2)
Sep 01, 2001
#4Michael MeskesMichael Meskesto Glen Eustace (#1)
Sep 01, 2001

Embedded SQL vulnerability

Started by Glen Eustaceover 24 years ago4 messagesgeneral
Jump to latest
#1Glen Eustace
Glen Eustace
geustace@godzone.net.nz

Has anyone added anything into the client library along the lines of the
suggestion made in

http://cert.uni-stuttgart.de/advisories/apache_auth.php

I have just upgraded to 7.1.3 on RH7.1, I wasn't going to bother with the
source. But we do use our database for authentication and consequently are
vulnerable.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Glen and Rosanne Eustace,
GodZone Internet Services, a division of AGRE Enterprises Ltd.,
P.O. Box 8020, Palmerston North, New Zealand 5301
Ph/Fax: +64 6 357 8168, Mob: +64 21 424 015

#2Doug McNaught
Doug McNaught
doug@wireboard.com
In reply to: Glen Eustace (#1)
Re: Embedded SQL vulnerability

Glen Eustace <geustace@godzone.net.nz> writes:

Has anyone added anything into the client library along the lines of the
suggestion made in

http://cert.uni-stuttgart.de/advisories/apache_auth.php

I have just upgraded to 7.1.3 on RH7.1, I wasn't going to bother with the
source. But we do use our database for authentication and consequently are
vulnerable.

A patch did go in just recently, but didn't make it into 7.1.3.

You can always do the escaping yourself--the patch just makes the
escape call available in the library; it doesn't automatically fix
your code.

-Doug
--
Free Dmitry Sklyarov!
http://www.freesklyarov.org/

We will return to our regularly scheduled signature shortly.

Import Notes
Reply to msg id not found: GlenEustace'smessageofSat1Sep2001111234+1200
#3Glen Eustace
Glen Eustace
geustace@godzone.net.nz
In reply to: Doug McNaught (#2)
Re: Embedded SQL vulnerability

On Saturday 01 September 2001 12:26, Doug McNaught wrote:

A patch did go in just recently, but didn't make it into 7.1.3.

You can always do the escaping yourself--the patch just makes the
escape call available in the library; it doesn't automatically fix
your code.

Agreed, but if it were in a library that I am linking already, then I don't
need to either have a library of my own or add code to 'escape' to each
programme.

In the interim, I have simply added the code to mod_auth_pgsql

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Glen and Rosanne Eustace,
GodZone Internet Services, a division of AGRE Enterprises Ltd.,
P.O. Box 8020, Palmerston North, New Zealand 5301
Ph/Fax: +64 6 357 8168, Mob: +64 21 424 015

#4Michael Meskes
Michael Meskes
meskes@postgresql.org
In reply to: Glen Eustace (#1)
Re: Embedded SQL vulnerability

On Sat, Sep 01, 2001 at 11:12:34AM +1200, Glen Eustace wrote:

http://cert.uni-stuttgart.de/advisories/apache_auth.php

Is this somehow related to ecpg? I just noticed the term "embedded" in the
subject. :-)

In fact ecpg does have its own function to quote escape characters. It does
not quote \0 but it does quote \' to \'\' and \\ to \\\\.

Michael
--
Michael Meskes
Michael@Fam-Meskes.De
Go SF 49ers! Go Rhein Fire!
Use Debian GNU/Linux! Use PostgreSQL!

← Back to Topics