Re: [SECURITY] DoS attack on backend possible (was: Re:

Mike Mascari <mascarm@mascari.com>

From: Mike Mascari <mascarm@mascari.com>
To: Christopher Kings-Lynne <chriskl@familyhealth.com.au>
Cc: Justin Clift <justin@postgresql.org>, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, pgsql-hackers@postgresql.org
Date: 2002-08-12T07:17:56Z
Lists: pgsql-hackers
Christopher Kings-Lynne wrote:
> 
> > Hey yep, good point.
> >
> > Is this the only way that we know of non postgresql-superusers to be
> > able to take out the server other than by extremely non-optimal,
> > resource wasting queries?
> >
> > If we release a 7.2.2 because of this, can we be pretty sure we have a
> > "no known vulnerabilities" release, or are there other small holes which
> > should be fixed too?
> 
> What about that "select cash_out(2) crashes because of opaque" entry in the
> TODO?  That really needs to be fixed.
> 
> I was talking to a CS lecturer about switching to postgres from oracle when
> 7.3 comes out and all he said was "how easily is it hacked?".  He says their
> systems are the most constantly bombarded in universities.  What could I
> say?  That any unprivileged user can just go 'select cash_out(2)' to DOS the
> backend?

If he's using Oracle already, he ought to check out:

http://www.cert.org/advisories/CA-2002-08.html

I'd still think it would be a good policy to make a security release.
However, without user resource limits in PostgreSQL, anyone can make a
machine useless with a query like:

SELECT * 
FROM pg_class a, pg_class b, pg_class c, pg_class d, pg_class e, ... ;

Mike Mascari
mascarm@mascari.com