Re: Application name patch - v2
| От | Pavel Stehule |
|---|---|
| Тема | Re: Application name patch - v2 |
| Дата | |
| Msg-id | 162867790910190435i66b28634nfb9864eae10d353c@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Application name patch - v2 (Pavel Stehule <pavel.stehule@gmail.com>) |
| Список | pgsql-hackers |
2009/10/19 Pavel Stehule <pavel.stehule@gmail.com>: > 2009/10/19 Dave Page <dpage@pgadmin.org>: >> On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote: >> >>> sure, you have to fix fulnerable application. But with some >>> unsophisticated using %a and using wrong tools, the people can be >>> blind and don't register an SQL injection attack. >> >> If they're logging the statements (which they presumably are if >> looking for unusual activity), then they'll see the attack: >> >> dpage@myapp: LOG: connection authorized: user=dpage database=postgres >> dpage@myapp: LOG: statement: set application_name='hax0red'; >> dpage@hax0red: LOG: disconnection: session time: 0:00:20.152 >> user=dpage database=postgres host=[local] >> > > this is bad solution. yes, I can found probmlematics rows, but I'll > get ten or more larger log. This is available only when loging of > application name changes depend on own configuration setting. > what is +/- same as GUC for write access to application name. Pavel > Regards > Pavel >> >> -- >> Dave Page >> EnterpriseDB UK: http://www.enterprisedb.com >> >
В списке pgsql-hackers по дате отправления: