>
> TITLE:
> PostgreSQL Encoding-Based SQL Injection Vulnerability
>
> SECUNIA ADVISORY ID:
> SA20231
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Moderately critical
>
> IMPACT:
> Manipulation of data
>
> WHERE:
> From remote
>
> SOFTWARE:
> PostgreSQL 7.x
>
> PostgreSQL 8.x
>
>
> DESCRIPTION:
> Two vulnerabilities have been reported in PostgreSQL, which
> potentially can be exploited by malicious people to conduct SQL
> injection attacks.
>
> The vulnerabilities are caused due to the differences in the way
> PostgreSQL server and non-encoding aware applications interpret SQL
> query strings that contain certain multi-byte characters. A
> non-encoding aware application may insert escape characters into a
> malicious query string (e.g. to escape single-quote or backslash
> characters), without realizing that the escape characters will be
> interpreted as part of a multi-byte character sequence by the server.
> This can be exploited to conduct SQL injection attacks by injecting
> certain multi-byte characters into the query string.
>
> Successful exploitation allows bypassing of SQL injection escaping
> code that are implemented in non-encoding aware applications.
>
> The vulnerabilities have been reported in the 7.3, 7.4, 8.0 and 8.1
> branch.
>
> SOLUTION:
> Update to the fixed versions.
>
>
> Version 7.3.x:
> Update to version 7.3.15.
>
> Version 7.4.x:
> Update to version 7.4.13.
>
> Version 8.0.x:
> Update to version 8.0.8.
>
> Version 8.1.x:
> Update to version 8.1.4.
>
> PROVIDED AND/OR DISCOVERED BY:
> Reported by vendor.
>
> ORIGINAL ADVISORY:
>
>
>
>
>
>
>
