Hi Florian, Am I understanding this right:
- A PostgreSQL 7.2.1 server can be crashed if it gets passed certain date values which would be accepted by standard "front end" parsing? So, a web application layer can request a date from a user, do standard integrity checks (like looking for weird characters and formatting hacks) on the date given, then use the date as part of a SQL query, and PostgreSQL will die? ? Regards and best wishes, Justin Clift Florian Weimer wrote: > > Justin Clift <[EMAIL PROTECTED]> writes: > > > Is it possible to crash a 7.2.1 backend without having an entry in the > > pg_hba.conf file? > > No, but think of web applications and things like that. The web > frontend might pass in a date string which crashes the server backend. > Since the crash can be triggered by mere data, an attacker does not > have to be able to send specific SQL statements to the server. > > -- > Florian Weimer [EMAIL PROTECTED] > University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ > RUS-CERT fax +49-711-685-5898 -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
