Re: Application name patch - v2

2009/10/19 Dave Page <dpage(at)pgadmin(dot)org>:
> On Mon, Oct 19, 2009 at 12:33 PM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
>> 2009/10/19 Dave Page <dpage(at)pgadmin(dot)org>:
>>> On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
>>>
>>>> sure, you have to fix fulnerable application. But with some
>>>> unsophisticated using %a and using wrong tools, the people can be
>>>> blind and don't register an SQL injection attack.
>>>
>>> If they're logging the statements (which they presumably are if
>>> looking for unusual activity), then they'll see the attack:
>>>
>>> dpage(at)myapp: LOG:  connection authorized: user=dpage database=postgres
>>> dpage(at)myapp: LOG:  statement: set application_name='hax0red';
>>> dpage(at)hax0red: LOG:  disconnection: session time: 0:00:20.152
>>> user=dpage database=postgres host=[local]
>>>
>>
>> this is bad solution. yes, I can found probmlematics rows, but I'll
>> get ten or more larger log. This is available only when loging of
>> application name changes depend on own configuration setting.
>
> Why will you get 'ten or more larger log'? If you're looking for
> suspicious queries from SQL injection attacks, then you'll be logging
> queries anyway. The only additional log lines will be the hacker...

It is not practical. I'll log errors. Usually SQL injection generates
lot of errors. Loging all statements has not sense. What is difference
bad and good SQL statement.? Maybe multistatements are good candidates
for log as possible attackers statements. On highly load databases
loging all statements significantly increase load :(

>
> My point is, that the query to change the app name is logged using the
> *original* app name, thus it will not be discarded by the log analysis
> tools in your scenario.
>

I thing, so change of original name should generate warning.

Pavel
> --
> Dave Page
> EnterpriseDB UK:   http://www.enterprisedb.com
>