| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Marc G(dot) Fournier" <scrappy(at)hub(dot)org> |
| Cc: | Neil Conway <neilc(at)samurai(dot)com>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| Date: | 2002-08-24 04:37:44 |
| Message-ID: | 25492.1030163864@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-announce pgsql-general pgsql-hackers |
"Marc G. Fournier" <scrappy(at)hub(dot)org> writes:
> Right, but you have to get a connection to the backend in order to crash
> it ... no?
The point was that it might be possible to exploit this with only
indirect access to the database, such as entering "date" information
into a webform that would hand off the value to the database with
little or no checking. Most of the risks we've been discussing require
the ability to issue chosen SQL commands, but this one only requires
the ability to determine a data value that's used in a SQL command.
Big difference.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-24 04:38:07 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| Previous Message | Neil Conway | 2002-08-24 04:23:13 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-24 04:38:07 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| Previous Message | Neil Conway | 2002-08-24 04:23:13 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-24 04:38:07 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| Previous Message | Bruce Momjian | 2002-08-24 04:36:08 | Re: Large file support available |