[Pkg-nagios-devel] Bug#369362: nagios: Insecure quote escaping in

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

[Pkg-nagios-devel] Bug#369362: nagios: Insecure quote escaping in

Post by Guest »

--8GpibOaaTibBMecb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi ethan,

fyi, looks like there could potentially be some more problems with the
RDBMS methods in 1.x. i think the fix is probably not too hard; instead
of escaping queries manually using the provided functions by libpq (and
i'm sure a similar function for mysql must exist?).

i don't have time to look into this to see if there's an actual
vulnerability, and/or work on it right now, but i'll let you know
if i hear anything.

sean

----- Forwarded message from Martin Pitt -----

Date: Mon, 29 May 2006 13:09:19 +0200
=46rom: Martin Pitt
To: Debian BTS Submit
Subject: [Pkg-nagios-devel] Bug#369362: nagios: Insecure quote escaping in
PostgreSQL backend

Package: nagios
Severity: important
Version: 2:1.4-1
Tags: security

Hi!

Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack. This has been assigned CVE-2006-2314.

The various xdata/xr*.c modules currently use \' to escape quotes, which ma=
kes
it vulnerable against this attack with earlier PostgreSQL versions, and will
break with the current one (since it disables this method of quote escaping=
by
default in affected client encodings). The database query quoting should be
changed to use '' instead of \', but a better fix is to completely replace
custom quoting with an invocation of PQescapeString() from libpq.

Please be aware that this also affects other database backends in principle
(unless they do not support the affected encodings). Also, '' is the SQL
standard escape for ', not \'.

Please also pass this to upstream.

Thank you!

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?



_______________________________________________
Pkg-nagios-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/ ... gios-devel


----- End forwarded message -----

--=20

--8GpibOaaTibBMecb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEewS8ynjLPm522B0RAoMGAJ0YGZRZVZj64d2FY7pDnmH4Yj5foQCfWNM1
6n9n/MsHlAEJt7nyMrFN9Fk=
=d4Ro
-----END PGP SIGNATURE-----

--8GpibOaaTibBMecb--





This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”