[mpitt at debian.org: [Pkg-nagios-devel] Bug#369362: nagios: Insecure quote escaping in PostgreSQL backend]
sean finney
seanius at seanius.net
Mon May 29 16:27:08 CEST 2006
hi ethan,
fyi, looks like there could potentially be some more problems with the
RDBMS methods in 1.x. i think the fix is probably not too hard; instead
of escaping queries manually using the provided functions by libpq (and
i'm sure a similar function for mysql must exist?).
i don't have time to look into this to see if there's an actual
vulnerability, and/or work on it right now, but i'll let you know
if i hear anything.
sean
----- Forwarded message from Martin Pitt <mpitt at debian.org> -----
Date: Mon, 29 May 2006 13:09:19 +0200
From: Martin Pitt <mpitt at debian.org>
To: Debian BTS Submit <submit at bugs.debian.org>
Subject: [Pkg-nagios-devel] Bug#369362: nagios: Insecure quote escaping in
PostgreSQL backend
Package: nagios
Severity: important
Version: 2:1.4-1
Tags: security
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack. This has been assigned CVE-2006-2314.
The various xdata/xr*.c modules currently use \' to escape quotes, which makes
it vulnerable against this attack with earlier PostgreSQL versions, and will
break with the current one (since it disables this method of quote escaping by
default in affected client encodings). The database query quoting should be
changed to use '' instead of \', but a better fix is to completely replace
custom quoting with an invocation of PQescapeString() from libpq.
Please be aware that this also affects other database backends in principle
(unless they do not support the affected encodings). Also, '' is the SQL
standard escape for ', not \'.
Please also pass this to upstream.
Thank you!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
_______________________________________________
Pkg-nagios-devel mailing list
Pkg-nagios-devel at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-nagios-devel
----- End forwarded message -----
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20060529/3c14ef31/attachment.sig>
More information about the Developers
mailing list