Re: BUG #14090: Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages.

On Sat, Apr 16, 2016 at 4:38 AM, <soufiane.boussali@efet.ac.ma> wrote:

> The following bug has been logged on the website:
>
> Bug reference:      14090
> Logged by:          Soufiane Boussali
> Email address:      soufiane.boussali@efet.ac.ma
> PostgreSQL version: 9.5.2
> Operating system:   Mac Os
> Description:
> =E2=80=8B[...]=E2=80=8B
>
>         Some installations of Postgres 8 and 9 are configured to allow
> loading external scripting languages.
>         Most commonly this is Perl and Python. When enabled, command
> execution is possible on the host.
>         To execute system commands, loading the "untrusted" version of th=
e
> language is necessary.
>         This requires a superuser. This is usually postgres. The executio=
n
> should be platform-agnostic,
>         and has been tested on OS X, Windows, and Linux.
>
>         This module attempts to load Perl or Python to execute system
> commands. As this dynamically loads
>         a scripting language to execute commands, it is not necessary to
> drop a file on the filesystem.
>

=E2=80=8BThat's why they are "untrusted"...and if being superuser is a requ=
irement
then it isn't really an exploit now, is it?

For reference PostgreSQL version numbering requires two digits separate by
a period.  Version 8 and version 9 are incomplete identifiers as they lack
the second digit.  All versions beginning with 8 are also no longer
supported.

I could not follow the code so my only real guide for complaint/intent is
the description which I've quoted.

David J.
=E2=80=8B