On Wed, Jul 23, 2003 at 05:30:52PM -0700, Barry Lind wrote:
> New 7.3 and Dev builds for the driver are posted to the website. These
> fix two additional sql injection vulnerabilities reported by Oliver
> Jowett and Dmitry Tkach.
Now that it's patched, the one I reported was that you could insert a
literal \0 via setString() and friends, which the backend treated as "end of
query", so you could use a string like this:
"\0Qrollback;begin;insert into testquerynull(sensitive) values (42);commit\0"
to inject your own query. I suspect this one's been around for quite a
while: I noticed it a few months ago when inadvertently trying to insert
binary data as a String .. but didn't make the connection that it could be
used to inject new queries until the setObject() discussion came up.
In response to
pgsql-jdbc by date
|Next:||From: Barry Lind||Date: 2003-07-24 02:18:15|
|Subject: Re: psql and jdbc insert discrepencies|
|Previous:||From: Barry Lind||Date: 2003-07-24 00:30:52|
|Subject: New builds posted to jdbc.postgresql.org websit for jdbc driver|