Skip site navigation (1) Skip section navigation (2)

question about security hole CVE-2006-2313 and UTF-8

From: "Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at>
To: <pgsql-hackers(at)postgresql(dot)org>
Subject: question about security hole CVE-2006-2313 and UTF-8
Date: 2006-05-29 15:22:27
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
I have been experimenting with the exploit described in to see if our databases
are affected.

Server is 8.1.3, database encoding UTF8.
Client is a C program compiled and linked against libpq version 8.1.3
that uses UTF8 encoding.

I sent the following query:

od -c bad.sql
0000000   S   E   L   E   C   T       '   h   a   r   m   l   e   s   s
0000020 303   '   '   ,       c   u   r   r   e   n   t   _   d   a   t
0000040   e       a   s       m   a   l   i   c   i   o   u   s   ,    
0000060   0       a   s       d   e   c   o   y 303   '

but the server treats the sequence of 0xC3 (octal 303) and 0x27
as two different characters.

If I change the 0x27 after the 0xC3 to 0xA4 in both cases, the resulting
sequence is correctly treated as a single character (German umlaut a).

The question: Since neither the apostrophe nor the backslash can be
a valid second byte of an UTF-8 sequence, how is it possible to
inject code by exploiting an application that escapes quotes in strings
and then uses them in queries sent to the server?

It seems to me that UTF-8 databases are safe.

Laurenz Albe


pgsql-hackers by date

Next:From: Bruce MomjianDate: 2006-05-29 15:26:02
Subject: Re: some question about deadlock
Previous:From: ipigDate: 2006-05-29 15:20:58
Subject: Re: some question about deadlock

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group