Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Marc G. Fournier" <scrappy@hub.org>
Cc: Neil Conway <neilc@samurai.com>, Bruce Momjian <pgman@candle.pha.pa.us>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2002-08-24T04:37:44Z
Lists: pgsql-hackers, pgsql-general
"Marc G. Fournier" <scrappy@hub.org> writes: > Right, but you have to get a connection to the backend in order to crash > it ... no? The point was that it might be possible to exploit this with only indirect access to the database, such as entering "date" information into a webform that would hand off the value to the database with little or no checking. Most of the risks we've been discussing require the ability to issue chosen SQL commands, but this one only requires the ability to determine a data value that's used in a SQL command. Big difference. regards, tom lane