Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12817
HistoryMay 26, 2006 - 12:00 a.m.

PostgreSQL security releases 8.1.4, 8.0.8, 7.4.13, 7.3.15

2006-05-2600:00:00
vulners.com
7
JSON

PostgreSQL versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15 have been released
fixing two security issues.

Details of vulnerability 1

Vulnerability type: SQL Injection
Remotely exploitable: Depends on client

Affected versions: PostgreSQL 8.1.0-8.1.3, 8.0.0-8.0.7,
7.4.0-7.4.12, 7.3.0-7.3.14
Fixed versions: PostgreSQL 8.1.4, 8.0.8, 7.4.13, 7.3.15

Affected platforms: All

CVE: CVE-2006-2313
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2313)

Vulnerability description

An attacker able to submit crafted strings to an application that will
embed those strings in SQL commands can use invalidly-encoded multibyte
characters to bypass standard string-escaping methods, resulting in
possible injection of hostile SQL commands into the database. The
attacks covered here work in any multibyte encoding.

Details of vulnerability 2

Vulnerability type: SQL Injection
Remotely exploitable: Depends on client

Affected versions: PostgreSQL 8.1.0-8.1.3, 8.0.0-8.0.7,
7.4.0-7.4.12, 7.3.0-7.3.14
Fixed versions: PostgreSQL 8.1.4, 8.0.8, 7.4.13, 7.3.15

Affected platforms: All

CVE: CVE-2006-2314
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314)

Vulnerability description

The widely-used practice of escaping ASCII single quote "'" by turning
it into "\'" is unsafe when operating in multibyte encodings that allow
0x5c (ASCII code for backslash) as the trailing byte of a multibyte
character; this includes at least SJIS, BIG5, GBK, GB18030, and UHC. An
application that uses this conversion while embedding untrusted strings
in SQL commands is vulnerable to SQL-injection attacks if it
communicates with the server in one of these encodings. While the
standard client libraries used with PostgreSQL have escaped "'" in the
safe, SQL-standard way of "''" for some time, the older practice remains
common. As of PostgreSQL versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15, the
server has been modified to reject "\'" when the client is using one of
these encodings.
This does NOT in itself fix all variants of the problem, but it will
make it obvious that such a client is broken and in need of repair.

More information is available on the PostgreSQL website at
http://www.postgresql.org/docs/techdocs.52.

Solution

Upgrade to version 8.1.4, 8.0.8, 7.4.13 or 7.3.15 respectively,
available from http://www.postgresql.org/ftp/ in both source and binary
formats.

Mitigating factors

  • If client_encoding is a single-byte encoding (e.g., one of the
    LATINx family), there is no vulnerability.

  • If both client and server encoding is UTF8, there is no vulnerability.

  • If application always sends untrusted strings as out-of-line
    parameters, instead of embedding them into SQL commands, it is not
    vulnerable. This is only available in PostgreSQL 7.4 or later.

  • If application cannot pass invalidly encoded data to the server,
    there is no vulnerability (this probably includes all Java and .Net
    applications, for example, because of the platforms handling of
    Unicode strings).

Workarounds

  • Changing to a non-multibyte client_encoding will protect against
    both vulnerabilities.

  • Changing to UTF8 encoding and upgrading to a fixed version of
    PostgreSQL will protect the system without client side changes.

Credits

The PostgreSQL Global Development Group thanks Akio Ishida and Yasuo
Ohgaki for reporting these vulnerabilities.

Related

nessus 16
openvas 4
osv 1
gentoo 1
securityvulns 1
ubuntu 3
fedora 1
freebsd 1
debian 1
suse 1
centos 1
cve 3
prion 3
redhat 1
debiancve 1
postgresql 2
ubuntucve 2
nessus
nessus
openSUSE 10 Security Update : postgresql (postgresql-1443)
2007-10-17 00:00:00
Debian DSA-1087-1 : postgresql - programming error
2006-10-14 00:00:00
Fedora 7 : php-pear-DB-1.7.11-1.fc7 (2007-0249)
2007-11-06 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 200607-04 (postgresql)
2008-09-24 00:00:00
FreeBSD Ports: postgresql, postgresql-server, ja-postgresql
2008-09-04 00:00:00
Debian Security Advisory DSA 1087-1 (postgresql)
2008-01-17 00:00:00
osv
osv
postgresql - programming error
2006-06-03 00:00:00
gentoo
gentoo
PostgreSQL: SQL injection
2006-07-09 00:00:00
securityvulns
securityvulns
[Full-disclosure] rPSA-2006-0080-1 postgresql postgresql-server
2006-05-25 00:00:00
ubuntu
ubuntu
PostgreSQL server/client vulnerabilities
2006-06-09 00:00:00
PostgreSQL server/client vulnerabilities
2006-05-29 00:00:00
PostgreSQL client vulnerabilities
2006-06-09 00:00:00
fedora
fedora
[SECURITY] Fedora 7 Update: php-pear-DB-1.7.11-1.fc7
2007-06-06 16:42:53
freebsd
freebsd
postgresql -- encoding based SQL injection
2006-05-11 00:00:00
debian
debian
[SECURITY] [DSA 1087-1] New PostgreSQL packages fix encoding vulnerabilities
2006-06-03 07:52:06
suse
suse
remote code execution in postgresql
2006-06-09 14:03:55
centos
centos
postgresql, rh security update
2006-05-23 21:38:04
cve
cve
CVE-2006-2824
2006-06-05 17:02:00
CVE-2006-2314
2006-05-24 10:06:00
CVE-2006-2313
2006-05-24 10:06:00
prion
prion
Design/Logic Flaw
2006-06-05 17:02:00
Sql injection
2006-05-24 10:06:00
Sql injection
2006-05-24 10:06:00
redhat
redhat
(RHSA-2006:0526) postgresql security update
2006-05-23 00:00:00
debiancve
debiancve
CVE-2006-2314
2006-05-24 10:06:00
postgresql
postgresql
Vulnerability in core server (CVE-2006-2314)
2006-05-24 10:06:00
Vulnerability in core server (CVE-2006-2313)
2006-05-24 10:06:00
ubuntucve
ubuntucve
CVE-2006-2314
2006-05-24 00:00:00
CVE-2006-2313
2006-05-24 00:00:00
JSON
Related for SECURITYVULNS:DOC:12817
nessus16openvas4osv1gentoo1securityvulns1ubuntu3fedora1freebsd1debian1suse1centos1cve3prion3redhat1debiancve1postgresql2ubuntucve2