Home > mailing lists

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

From	Florian Weimer
Subject	Re: [SECURITY] DoS attack on backend possible
Date	August 20, 2002 15:31:25
Msg-id	877kil4hlr.fsf@CERT.Uni-Stuttgart.DE Whole thread Raw
In response to	Re: [SECURITY] DoS attack on backend possible ("Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at>)
List	pgsql-hackers

Tree view

"Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at> writes:

> Yes, but what is currently missing is a protocol to the backend
> where a statement is prepared with placeholders and then executed
> (multiple times) with given values. Then there is no doubt what is a
> value, and what a part of the SQL.

This wouldn't have helped in the current case.  The bug is in the
datetime parser which translates strings to an external
representation, not in the SQL parser.

-- 
Florian Weimer                       Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

pgsql-hackers by date:

From: Lamar Owen
Date: 20 August 2002, 15:28:30
Subject: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

From: "Zeugswetter Andreas SB SD"
Date: 20 August 2002, 15:37:01
Subject: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

Previous

Next