From: | Justin Clift <justin(at)postgresql(dot)org> |
---|---|
To: | Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [SECURITY] DoS attack on backend possible (was: Re: |
Date: | 2002-08-11 16:26:56 |
Message-ID: | 3D569050.87E7A4CA@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers pgsql-hackers |
Hi Florian,
Am I understanding this right:
- A PostgreSQL 7.2.1 server can be crashed if it gets passed certain
date values which would be accepted by standard "front end" parsing?
So, a web application layer can request a date from a user, do standard
integrity checks (like looking for weird characters and formatting
hacks) on the date given, then use the date as part of a SQL query, and
PostgreSQL will die?
?
Regards and best wishes,
Justin Clift
Florian Weimer wrote:
>
> Justin Clift <justin(at)postgresql(dot)org> writes:
>
> > Is it possible to crash a 7.2.1 backend without having an entry in the
> > pg_hba.conf file?
>
> No, but think of web applications and things like that. The web
> frontend might pass in a date string which crashes the server backend.
> Since the crash can be triggered by mere data, an attacker does not
> have to be able to send specific SQL statements to the server.
>
> --
> Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT fax +49-711-685-5898
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2002-08-11 17:09:41 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
Previous Message | Florian Weimer | 2002-08-11 15:00:40 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2002-08-11 17:09:41 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
Previous Message | Gavin Sherry | 2002-08-11 16:00:55 | Re: CREATE OR REPLACE TRIGGER |