Re: a vulnerability in PostgreSQL

Oops. How about:

foo'; DROP TABLE t1; -- foo

The last ' gets removed, leaving -- (81a2).

So you get:
select ... '(0x81a2)'; DROP TABLE t1; -- (0x81a2)

Would that work? Or do you need to put a semicolon after the --?

Alternatively would select (0x81a2) be a syntax error? If it isn't then
that's another way to terminate it properly.

As for the backslash, how does postgresql treat \000 and other naughty
codes? Too bad there are too many characters to backspace over - that is if
backspacing (\b) over commands works in the first place ;)...

I'll let you know if I think of other ways (I'm sure there are - I probably
have to go through the postgresql syntax and commands more closely). Got to
go :).

Cheerio,
Link.

At 05:50 PM 5/2/02 +0900, Tatsuo Ishii wrote:
> > Not tested: but how about the string being
> > foo'; DROP TABLE T1; foo
> >
> > Would the last ' be eaten up then resulting in no error?
>
>Even the last ' is eaten up, the remaining string is (81a2), which
>would cause parser errors since they are not valid SQL, I think.
>
> > Also normally a \ would be quoted by \\ right? Would a foo\ result in an
> > unquoted \ ? An unquoted backslash may allow some possibilities.
> >
> > There could be other ways to get rid of the last ', comments etc, so it
> may
> > not be just 6.5.x.
>
>Please provide concrete examples. I could not find such that case.
>--
>Tatsuo Ishii
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)