Thread: Embedded SQL vulnerability

Embedded SQL vulnerability

From

Glen Eustace

Date:

31 August 2001, 23:02:39

Has anyone added anything into the client library along the lines of the
suggestion made in

http://cert.uni-stuttgart.de/advisories/apache_auth.php

I have just upgraded to 7.1.3 on RH7.1, I wasn't going to bother with the
source.  But we do use our database for authentication and consequently are
vulnerable.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Glen and Rosanne Eustace,
GodZone Internet Services, a division of AGRE Enterprises Ltd.,
P.O. Box 8020, Palmerston North, New Zealand 5301
Ph/Fax: +64 6 357 8168, Mob: +64 21 424 015

Re: Embedded SQL vulnerability

From

Doug McNaught

Date:

31 August 2001, 23:26:57

Glen Eustace <geustace@godzone.net.nz> writes:

> Has anyone added anything into the client library along the lines of the
> suggestion made in
>
> http://cert.uni-stuttgart.de/advisories/apache_auth.php
>
> I have just upgraded to 7.1.3 on RH7.1, I wasn't going to bother with the
> source.  But we do use our database for authentication and consequently are
> vulnerable.

A patch did go in just recently, but didn't make it into 7.1.3.

You can always do the escaping yourself--the patch just makes the
escape call available in the library; it doesn't automatically fix
your code.

-Doug
--
Free Dmitry Sklyarov!
http://www.freesklyarov.org/

We will return to our regularly scheduled signature shortly.

Re: Embedded SQL vulnerability

From

Glen Eustace

Date:

01 September 2001, 01:13:43

On Saturday 01 September 2001 12:26, Doug McNaught wrote:
>
> A patch did go in just recently, but didn't make it into 7.1.3.
>
> You can always do the escaping yourself--the patch just makes the
> escape call available in the library; it doesn't automatically fix
> your code.

Agreed, but if it were in a library that I am linking already, then I don't
need to either have a library of  my own or add code to 'escape' to each
programme.

In the interim, I have simply added the code to mod_auth_pgsql

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Glen and Rosanne Eustace,
GodZone Internet Services, a division of AGRE Enterprises Ltd.,
P.O. Box 8020, Palmerston North, New Zealand 5301
Ph/Fax: +64 6 357 8168, Mob: +64 21 424 015

Re: Embedded SQL vulnerability

From

Michael Meskes

Date:

01 September 2001, 08:50:50

On Sat, Sep 01, 2001 at 11:12:34AM +1200, Glen Eustace wrote:
> http://cert.uni-stuttgart.de/advisories/apache_auth.php

Is this somehow related to ecpg? I just noticed the term "embedded" in the
subject. :-)

In fact ecpg does have its own function to quote escape characters. It does
not quote \0 but it does quote \' to \'\' and \\ to \\\\.

Michael
--
Michael Meskes
Michael@Fam-Meskes.De
Go SF 49ers! Go Rhein Fire!
Use Debian GNU/Linux! Use PostgreSQL!