"..if someone has direct SQL access to your database, they can
already do more damage than what this vulnerability addresses. Specifically
DROP TABLE is available to users with direct SQL command line access..."
That's true of course, but i really dont want to do any damage, i might
even don't want
to get noticed...
".. the cracker must be able to execute arbitrary SQL commands against the
database,
and by that stage of the game, a DoS
attack is already trivial (e.g. disable GEQO and execute a 15 table join
query)..."
Hmm, sounds complex, why bother?. Thanks for the advice anyway :-)
//@(#) Mordred Labs advisory 0x0006
Release data: 26/08/02
Name: Two dumb DoS conditions in PostgreSQL
Versions affected: all versions
Risk: very low
---[ Description:
1) Upon invoking a substring(text, integer, integer) function, a
src/backend/utils/adt/varlena.c:text_substr()
function will gets called, which fails to detect a simple dos condition,
triggered by a very high third argument.
Multibyte support must be enabled for this attack to work.
The vulnerable encodings are: SQL_ASCII, LATIN1.
With others, you just will get SIGSEGV (not checked).
2) Upon invoking a bpchar(char, integer) function, a
src/backend/utils/adt/varchar.c:bpchar() function
will gets called, which suffers from a dos condition.
--[ How to reproduce:
template1=# select substring('xxxxxxxx',2,2147483647);
template1=# select bpchar('x',100000000);
--[ Solution
No one is available.
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en