Skip site navigation (1) Skip section navigation (2)

question about security hole CVE-2006-2313 and UTF-8

From: "Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at>
To: <pgsql-hackers(at)postgresql(dot)org>
Subject: question about security hole CVE-2006-2313 and UTF-8
Date: 2006-05-29 15:22:27
Message-ID: 52EF20B2E3209443BC37736D00C3C13808A49ACF@EXADV1.host.magwien.gv.at (view raw or flat)
Thread:
Lists: pgsql-hackers
I have been experimenting with the exploit described in
http://www.postgresql.org/docs/techdocs.50 to see if our databases
are affected.

Server is 8.1.3, database encoding UTF8.
Client is a C program compiled and linked against libpq version 8.1.3
that uses UTF8 encoding.

I sent the following query:

od -c bad.sql
0000000   S   E   L   E   C   T       '   h   a   r   m   l   e   s   s
0000020 303   '   '   ,       c   u   r   r   e   n   t   _   d   a   t
0000040   e       a   s       m   a   l   i   c   i   o   u   s   ,    
0000060   0       a   s       d   e   c   o   y 303   '
0000074

but the server treats the sequence of 0xC3 (octal 303) and 0x27
(apostrophe)
as two different characters.

If I change the 0x27 after the 0xC3 to 0xA4 in both cases, the resulting
sequence is correctly treated as a single character (German umlaut a).

The question: Since neither the apostrophe nor the backslash can be
a valid second byte of an UTF-8 sequence, how is it possible to
inject code by exploiting an application that escapes quotes in strings
and then uses them in queries sent to the server?

It seems to me that UTF-8 databases are safe.

Yours,
Laurenz Albe

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2006-05-29 15:26:02
Subject: Re: some question about deadlock
Previous:From: ipigDate: 2006-05-29 15:20:58
Subject: Re: some question about deadlock

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group