Re: update phenomenom - Mailing list pgsql-general
| From | Henrik Steffen |
|---|---|
| Subject | Re: update phenomenom |
| Date | |
| Msg-id | 00b801c32d07$e84346d0$9800a8c0@henrik Whole thread Raw |
| In response to | update phenomenom ("Henrik Steffen" <steffen@city-map.de>) |
| Responses |
Re: update phenomenom
|
| List | pgsql-general |
yes, input is coming from a web form.
my SQL() function uses DBD::Pg in Perl
and it does the following:
sub SQL {
my $command=shift;
...
$sth=$db->prepare($command);
$sth->execute();
...
}
Now I tried the following:
$command="UPDATE table SET miano='12345';' WHERE kundennummer='12345';";
note the inner ; ! so I am trying an SQL injection attack
But this just delivers an Error from DBD::Pg. And no update at all is done.
However, I believe it still has got to be a kind of attack, though the user
certainly didn't know this... so, probably something that was entered
unconsciously into the web-form.
It was certainly no psql user who did this, because I can trace it back
to a certain perl-script 100% sure. furthermore, I am the only one who
actually has got psql-access....*lol*
I looked at the perl-script more detailed now:
Not only the field 'miano' should be updated but also 6 other fields.
Four of these columns have been updated in all 450.000 rows, two others
have NOT been updated. This leads me to the conclusion, that
there has probably been a '; entered into form-fields four, so the
where-clause was not executed - this would explain, why the other
2 columns were not update at all.
I wonder, if there might have been a kind of comment-character after
the ';. Because trying it manually, I keep getting an error. But
is there a way to send a ';# to comment out the rest of the line?
Or a ';\n or ';\0 or any special character?
Very strange, very strange.
BTW: I remember that I have had the same error once before, a few
months ago. What strikes me, is , that the same function is triggered
50 times every day, and only every 5th month this strange error occurs.
This led me to the thought, that maybe there could be some database
corruption or something.... but it looks very much like an attack, don't
you believe?
Anyone who knows more about DBD::Pg and how it's possible to enter
two commands within one statement?
--
Mit freundlichem Gruß
Henrik Steffen
Geschäftsführer
top concepts Internetmarketing GmbH
Am Steinkamp 7 - D-21684 Stade - Germany
--------------------------------------------------------
http://www.topconcepts.com Tel. +49 4141 991230
mail: steffen@topconcepts.com Fax. +49 4141 991233
--------------------------------------------------------
24h-Support Hotline: +49 1908 34697 (EUR 1.86/Min,topc)
--------------------------------------------------------
Ihr SMS-Gateway: JETZT NEU unter: http://sms.city-map.de
System-Partner gesucht: http://www.franchise.city-map.de
--------------------------------------------------------
Handelsregister: AG Stade HRB 5811 - UstId: DE 213645563
--------------------------------------------------------
----- Original Message -----
From: "Jan Wieck" <JanWieck@Yahoo.com>
To: "Henrik Steffen" <steffen@city-map.de>
Cc: "pgsql" <pgsql-general@postgresql.org>
Sent: Friday, June 06, 2003 9:30 PM
Subject: Re: [GENERAL] update phenomenom
> Henrik Steffen wrote:
> > Hello all,
> >
> > I have a table consisting of about 450.000 rows
> > with a unique primary key char(9)
> >
> > kundennummer CHAR(9) unique primary key
> > ... some fields...
> > miano CHAR(6)
> >
> > Today someone issued an
> >
> > UPDATE table SET miano='071002' WHERE kundennummer='071002883';
> >
> > and managed to UPDATE all the 450.000 rows, updating
> > the miano to the value '071002' by issuing this command.
> >
> >
> > The update is generated through a web-based intranet-solution,
> > unfortunately I didn't have a postgresql-logfile for this, but
> > I can see from the webserver logfile, which scripts was run
> > at the particular time.
> >
> > For me it's almost 99.9 % sure, that it's no error in the
> > perl-program. There is only one command issuing exactly
> >
> > SQL("UPDATE $table SET $daten WHERE kundennummer='$kundennummer';");
>
> You expect that $daten contains precisely
>
> miano='071002'
>
> I guess the 071002 is coming from an input field in a form, no? What if
> someone managed to get
>
> miano='071002';'
>
> into $daten by entering 071002'; into the field?
>
>
> Jan
>
> --
> #======================================================================#
> # It's easier to get forgiveness for being wrong than for being right. #
> # Let's break this rule - forgive me. #
> #================================================== JanWieck@Yahoo.com #
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
pgsql-general by date: