Re: PostgreSQL Service on Windows does not start. ~ "is not a valid Win32 application"

Services are started with the system privileges. If somebody is able to
place that .exe in the specified directory, then it will be executed on
service start. So, yes, I too agree with Asif that it is an important issue
and should be fixed in the code at the earliest.

On Thu, Oct 31, 2013 at 11:14 AM, Asif Naeem <anaeem(dot)it(at)gmail(dot)com> wrote:

> On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>wrote:
>
>> On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai
>> <anzai-naoya(at)mxu(dot)nes(dot)nec(dot)co(dot)jp> wrote:
>> > Hi Sandeep
>> >
>> >> I think, you should change the subject line to "Unquoted service path
>> containing space is vulnerable and can be exploited on Windows" to get the
>> attention.. :)
>> > Thank you for advice!
>> > I'll try to post to pgsql-bugs again.
>>
>> I could also reproduce this issue. The situation is very rare such
>> that an "exe" with name same as first part of directory should exist
>> in installation path.
>>
>
> I believe it is a security risk with bigger impact as it is related to
> Windows environment and as installers rely on it.
>
>
>> I suggest you can post your patch in next commit fest.
>
>
> Yes. Are not vulnerabilities/security risk's taken care of more urgent
> bases ?
>
>
>> With Regards,
>> Amit Kapila.
>> EnterpriseDB: http://www.enterprisedb.com
>>
>
>

--
Sandeep Thakkar

Phone: +91.20.30589505

Website: www.enterprisedb.com
EnterpriseDB Blog: http://blogs.enterprisedb.com/
Follow us on Twitter: http://www.twitter.com/enterprisedb