| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | Dave Page <dpage(at)pgadmin(dot)org> |
| Cc: | Dimitri Fontaine <dfontaine(at)hi-media(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Application name patch - v2 |
| Date: | 2009-10-19 11:35:11 |
| Message-ID: | 162867790910190435i66b28634nfb9864eae10d353c@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2009/10/19 Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>:
> 2009/10/19 Dave Page <dpage(at)pgadmin(dot)org>:
>> On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
>>
>>> sure, you have to fix fulnerable application. But with some
>>> unsophisticated using %a and using wrong tools, the people can be
>>> blind and don't register an SQL injection attack.
>>
>> If they're logging the statements (which they presumably are if
>> looking for unusual activity), then they'll see the attack:
>>
>> dpage(at)myapp: LOG: connection authorized: user=dpage database=postgres
>> dpage(at)myapp: LOG: statement: set application_name='hax0red';
>> dpage(at)hax0red: LOG: disconnection: session time: 0:00:20.152
>> user=dpage database=postgres host=[local]
>>
>
> this is bad solution. yes, I can found probmlematics rows, but I'll
> get ten or more larger log. This is available only when loging of
> application name changes depend on own configuration setting.
>
what is +/- same as GUC for write access to application name.
Pavel
> Regards
> Pavel
>>
>> --
>> Dave Page
>> EnterpriseDB UK: http://www.enterprisedb.com
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2009-10-19 11:38:54 | Re: Application name patch - v2 |
| Previous Message | Peter Eisentraut | 2009-10-19 11:34:55 | Re: Rejecting weak passwords |