 |
|
|
|
| PostgreSQL code execution | | Published: |  | 26.05.2010 | | Source: |  | BUGTRAQ | | SecurityVulns ID: |  | 10862 | | Type: |  | local | | Level: |  | 5/10 | | Description: |  | It's possible to execute PL/perl or PL/Tcl code via stored procedure. |
| Affected: |  | POSTGRESQL : PostgreSQL 8.4 | | CVE: |  | CVE-2010-1170 (The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.) | | | | CVE-2010-1169 (PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.) |
|
|
|
|
|
|
|
|
