Hi,
I think I found a security problem in PHP3+postgres+apache shipped with
Potato.
Correct me if I'm wrong, but the following code should support any $var.
If you uncomment the client_encoding line, I'm able to execute any
request I want with the good $var.
%<------------------------------
$conn = pg_connect("dbname=" . BASE_DOC . " port=" . BASE_PORT
. " user=" . BASE_USER);
$var="XXXXXXXXX";
//pg_exec($conn, "SET client_encoding = 'LATIN1'");
$requete = "SELECT col FROM tab WHERE col='" . addslashes($var) . "'";
echo $requete;
$query = pg_exec($conn, $requete);
%<------------------------------
Tested on Debian GNU/Linux Potato i386, with
apache 1.3.9-14
php3 3.0.18-0
php3-pgsql 3.0.18-0
postgresql 6.5.3-27
What's the normal way to make a security bug report?
--
Benoît Sibaud
R&D Engineer - France Telecom
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
