From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
Cc: | Dimitri Fontaine <dfontaine(at)hi-media(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Application name patch - v2 |
Date: | 2009-10-19 10:12:19 |
Message-ID: | 937d27e10910190312p4fc9b377s42ae7bcd5e751216@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
> sure, you have to fix fulnerable application. But with some
> unsophisticated using %a and using wrong tools, the people can be
> blind and don't register an SQL injection attack.
If they're logging the statements (which they presumably are if
looking for unusual activity), then they'll see the attack:
dpage(at)myapp: LOG: connection authorized: user=dpage database=postgres
dpage(at)myapp: LOG: statement: set application_name='hax0red';
dpage(at)hax0red: LOG: disconnection: session time: 0:00:20.152
user=dpage database=postgres host=[local]
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2009-10-19 10:16:55 | Re: Application name patch - v2 |
Previous Message | Pavel Stehule | 2009-10-19 09:45:33 | Re: Application name patch - v2 |