| From: | Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
|---|---|
| To: | "Zeugswetter Andreas SB SD" <ZeugswetterA(at)spardat(dot)at> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [SECURITY] DoS attack on backend possible |
| Date: | 2002-08-20 16:31:28 |
| Message-ID: | 877kil4hlr.fsf@CERT.Uni-Stuttgart.DE |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Zeugswetter Andreas SB SD" <ZeugswetterA(at)spardat(dot)at> writes:
> Yes, but what is currently missing is a protocol to the backend
> where a statement is prepared with placeholders and then executed
> (multiple times) with given values. Then there is no doubt what is a
> value, and what a part of the SQL.
This wouldn't have helped in the current case. The bug is in the
datetime parser which translates strings to an external
representation, not in the SQL parser.
--
Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zeugswetter Andreas SB SD | 2002-08-20 16:36:58 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |
| Previous Message | Lamar Owen | 2002-08-20 16:28:27 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |