Thread: New builds posted to jdbc.postgresql.org websit for jdbc driver
New 7.3 and Dev builds for the driver are posted to the website. These fix two additional sql injection vulnerabilities reported by Oliver Jowett and Dmitry Tkach. thanks, --Barry
On Wed, Jul 23, 2003 at 05:30:52PM -0700, Barry Lind wrote: > New 7.3 and Dev builds for the driver are posted to the website. These > fix two additional sql injection vulnerabilities reported by Oliver > Jowett and Dmitry Tkach. Now that it's patched, the one I reported was that you could insert a literal \0 via setString() and friends, which the backend treated as "end of query", so you could use a string like this: "\0Qrollback;begin;insert into testquerynull(sensitive) values (42);commit\0" to inject your own query. I suspect this one's been around for quite a while: I noticed it a few months ago when inadvertently trying to insert binary data as a String .. but didn't make the connection that it could be used to inject new queries until the setObject() discussion came up. -O
Oliver Jowett <oliver@opencloud.com> writes:
> On Wed, Jul 23, 2003 at 05:30:52PM -0700, Barry Lind wrote:
>> New 7.3 and Dev builds for the driver are posted to the website. These
>> fix two additional sql injection vulnerabilities reported by Oliver
>> Jowett and Dmitry Tkach.
> Now that it's patched, the one I reported was that you could insert a
> literal \0 via setString() and friends, which the backend treated as "end of
> query", so you could use a string like this:
> "\0Qrollback;begin;insert into testquerynull(sensitive) values (42);commit\0"
> to inject your own query.
FWIW, that won't work anymore in the V3 protocol, whether or not JDBC
has been patched to reject nulls ...
regards, tom lane