Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Postgresql Patches Critical Vulnerability - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Postgresql Patches Critical Vulnerability

The Postgresql team announced earlier today the release of patches for its popular open source database. The description of the vulnerability sounds quite scary. An attacker may cause corruption to the database, or if the attacker is able to log in, the attacker may then escalate privileges and in some cases execute arbitrary code.

The vulnerability is triggered by connecting to the database and specifying a database name that starts with a "-". This database does not have to exist for the vulnerability to be triggered. The database name starting with a "-" is then parsed as a command line argument and can be used to corrupt the database. 

There was some controversy about how the bug was handled by the postgresql team. But overall, they appear to have done a good job in patching this quickly. For the last few days, the postgresql source code repository was not viewable to prevent an early release of the vulnerability.

Of course, nobody should allow direct connections to the database from the Internet, but this bug may be exploitable after for example compromising a web server with a postgresql backend (a simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used).

So in short: patch 

References:

http://seclists.org/bugtraq/2013/Apr/26
http://www.postgresql.org/support/security/faq/2013-04-04/

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019

Johannes

3563 Posts
ISC Handler
"Of course, nobody should allow direct connections to the firewall from the outside, ..." should probably have read "Of course, nobody should allow direct connections to the database (through the firewall) from the outside, ..."
Anonymous
I'm always tempted to correct people's English on web sites, but then I think, "How well would I do if I tried to write in German/Portuguese, etc." The answer is not very well, since I only speak one language.
John

88 Posts

Sign Up for Free or Log In to start participating in the conversation!