Re: [Postgresql-it] [ANNOUNCE] IMPORTANT: two new PostgreSQL security problems found

From: "Valerio Granato" <contact@xxxxxxxxxx>
To: <postgresql-it@xxxxxxxxxxxxxxxxx>
Date: Wed, 4 May 2005 11:48:26 +0200

---- Original Message ----
From: "Martino Serri" <shaghy@xxxxxxxxxx>
To: <postgresql-it@xxxxxxxxxxxxxxxxx>
Sent: Tuesday, May 03, 2005 4:45 PM
Subject: [Postgresql-it] [ANNOUNCE] IMPORTANT: two new PostgreSQL
security problems found

Spero di fare cosa gradita nell'inoltrare alla lista questo advisory
su due problemi di sicurezza, scovati su postgresql:

Character conversion vulnerability
----------------------------------

The more severe of the two errors is that the functions that support
client-to-server character set conversion can be called from SQL
commands by unprivileged users, but these functions are not designed
to be safe against malicious choices of argument values.  This
problem exists in PostgreSQL 7.3.* through 8.0.*.  The recommended
fix is to disable public EXECUTE access for these functions.  This
does not affect normal usage of the functions for character set
conversion, but it will prevent misuse.

Ecco un piccolo script in php che ho scritto al volo per correggere
il problema. Spero sia utile, non è molto raffinato come codice
ma mi bastava non dover correggere un migliaio di database
a mano :-)

Le righe spezzate vanno ricomposte, basta inserire la password
del proprio utente postgres.
Un vacuum alla fine non fa male :-)

Saluti,
Valerio

#!/www/bin/php
<?
$pgsqlpass = ""; // inserire qui la propria password dell'utente postgres
$db = pg_connect("dbname=template1 user=postgres password=$pgsqlpass");
pg_query($db, 'set log_statement=true;');

$result = pg_query('select datname from pg_database');

for ($i=0;$i<pg_numrows($result);$i++) {
       $riga = pg_fetch_array($result, $i, PGSQL_ASSOC);
       $datname = $riga['datname'];
       if ($datname == 'template0') continue;

       $database[] = $datname;
}

pg_close($db);

foreach ($database AS $datname) {
$db2 = pg_connect("dbname=$datname user=postgres password=$pgsqlpass");
       pg_query($db2, 'set log_statement=true;');
pg_query("UPDATE pg_proc SET proacl = '{=}' WHERE pronamespace = 11 AND pronargs = 5 AND proargtypes[2] = 'cstring'::regtype;");
       pg_close($db2);
}

$db2 = pg_connect("dbname=template1 user=postgres password=$pgsqlpass");
pg_query($db2, 'set log_statement=true;');
pg_query("UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';");
pg_close($db2);
$db2 = pg_connect("dbname=template0 user=postgres password=$pgsqlpass");
pg_query($db2, 'set log_statement=true;');
pg_query("UPDATE pg_proc SET proacl = '{=}' WHERE pronamespace = 11 AND pronargs = 5 AND proargtypes[2] = 'cstring'::regtype;");
pg_query('VACUUM FREEZE;');
pg_query("UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';");
pg_close($db2);
?>

References:
- [Postgresql-it] [ANNOUNCE] IMPORTANT: two new PostgreSQL security problems found
  - From: Martino Serri

Re: [Postgresql-it] [ANNOUNCE] IMPORTANT: two new PostgreSQL security problems found

Other related posts: