Re: PostgreSQL Service on Windows does not start. ~ "is not a valid Win32 application" - Mailing list pgsql-hackers
Services are started with the system privileges. If somebody is able to place that .exe in the specified directory, then it will be executed on service start. So, yes, I too agree with Asif that it is an important issue and should be fixed in the code at the earliest.
--
On Thu, Oct 31, 2013 at 11:14 AM, Asif Naeem <anaeem.it@gmail.com> wrote:
On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila <amit.kapila16@gmail.com> wrote:On Tue, Oct 29, 2013 at 12:46 PM, Naoya AnzaiI could also reproduce this issue. The situation is very rare such
<anzai-naoya@mxu.nes.nec.co.jp> wrote:
> Hi Sandeep
>
>> I think, you should change the subject line to "Unquoted service path containing space is vulnerable and can be exploited on Windows" to get the attention.. :)
> Thank you for advice!
> I'll try to post to pgsql-bugs again.
that an "exe" with name same as first part of directory should exist
in installation path.I believe it is a security risk with bigger impact as it is related to Windows environment and as installers rely on it.I suggest you can post your patch in next commit fest.Yes. Are not vulnerabilities/security risk's taken care of more urgent bases ?With Regards,
Amit Kapila.
EnterpriseDB: http://www.enterprisedb.com
Sandeep Thakkar
Phone: +91.20.30589505
Website: www.enterprisedb.com
EnterpriseDB Blog: http://blogs.enterprisedb.com/
Follow us on Twitter: http://www.twitter.com/enterprisedb
Phone: +91.20.30589505
Website: www.enterprisedb.com
EnterpriseDB Blog: http://blogs.enterprisedb.com/
Follow us on Twitter: http://www.twitter.com/enterprisedb
pgsql-hackers by date: