On Wed, Jul 23, 2003 at 05:30:52PM -0700, Barry Lind wrote:
> New 7.3 and Dev builds for the driver are posted to the website. These
> fix two additional sql injection vulnerabilities reported by Oliver
> Jowett and Dmitry Tkach.
Now that it's patched, the one I reported was that you could insert a
literal \0 via setString() and friends, which the backend treated as "end of
query", so you could use a string like this:
"\0Qrollback;begin;insert into testquerynull(sensitive) values (42);commit\0"
to inject your own query. I suspect this one's been around for quite a
while: I noticed it a few months ago when inadvertently trying to insert
binary data as a String .. but didn't make the connection that it could be
used to inject new queries until the setObject() discussion came up.
-O
