Home > mailing lists

Re: Application name patch - v2 - Mailing list pgsql-hackers

From	Dave Page
Subject	Re: Application name patch - v2
Date	October 19, 2009 10:12:29
Msg-id	937d27e10910190312p4fc9b377s42ae7bcd5e751216@mail.gmail.com Whole thread Raw
In response to	Application name patch - v2 (Dave Page <dpage@pgadmin.org>)
Responses	Re: Application name patch - v2
List	pgsql-hackers

Tree view

On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote:

> sure, you have to fix fulnerable application. But with some
> unsophisticated using %a and using wrong tools, the people can be
> blind and don't register an SQL injection attack.

If they're logging the statements (which they presumably are if
looking for unusual activity), then they'll see the attack:

dpage@myapp: LOG:  connection authorized: user=dpage database=postgres
dpage@myapp: LOG:  statement: set application_name='hax0red';
dpage@hax0red: LOG:  disconnection: session time: 0:00:20.152
user=dpage database=postgres host=[local]


-- 
Dave Page
EnterpriseDB UK:   http://www.enterprisedb.com

pgsql-hackers by date:

From: Pavel Stehule
Date: 19 October 2009, 09:42:09
Subject: Re: Application name patch - v2

From: Dave Page
Date: 19 October 2009, 10:17:08
Subject: Re: Application name patch - v2

Re: Application name patch - v2 - Mailing list pgsql-hackers

Previous

Next