- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
PostgreSQL users have been put in a potentially sticky situation by a serious security flaw made public this week.
The flaw allows for SQL injection attacks, and affects all versions of PostgreSQL, aside from fixed versions released this week. However, the fix, PostgreSQL developers admit, will break many users' applications.
"Six PostgreSQL programmers worked for four weeks to come up with a method to fix the vulnerability without affecting production applications," said core developer Josh Berkus in documentation published to explain the complex bug. "This was the best we could do - it leaves most users' applications untouched."
Those using Far Eastern multi-byte encodings such as SJIS, BIG5, GBK, GB18030 and UHC, are out of luck, however, and will need to rework their applications for them to work after applying the patch. Specifically, they will need to remove any nonstandard string escaping mechanisms, such as the popular "backslash-escape," or at least modify them to use SQL-standard escaping, according to Berkus.
He admitted the modifications would be "painful" for many users.
Since the update affects client functionality, admins will need to install new drivers. Drivers for most programming languages should be available within days, according to Berkus. Binaries for some platforms should already be available from the PostgreSQL download page.
Most at risk are PostgreSQL servers that are both exposed to "untrusted input" and use multibyte encodings such as UTF-8 or SJIS. "Basically, most open source database users with Web applications," said Berkus. In particular danger are those using Far East encodings and using ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes, Berkus said.
"Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure," Berkus wrote. "Note that the PHP team deprecated addslashes() and magic_quotes in Version 4.0 because of the security risk. Unfortunately, it still appears in a distressing number of freeware PHP applications online."
The bug is fixed in Versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15, released this week and available from PostgreSQL's Web site.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment