#490 Postgres encoding security hole

Security (18)

Not fully investgiated, but the following is my
response to the users list regarding the latest
postgres security hole:

The problem in question is quite complex, and I haven't
had much time to

go over this in depth. It would appear that MailManager
may be vulnerable

in the case that the database encoding is set to a
multibyte encoding type.

This will depend on your distribution's configuration
of postgres, and can

be checked using the command \l+ in the psql command
line client.

For now, if this security vulnerability is a concern I
would advise that

you upgrade to the latest version of postgres, which
should resolve the

issue. Looking at the DTML layer in Zope, it appears to
use the '' string

escaping method which should be safe for all encoding
types with postgres


Our SQL layer which we introduced to allow us to
convert and wrap queries

should mean that any exploit can be prevented from
within MailManager

itself, rather than having to rely on a fix in Zope's
DTML layer or in

Postgres. I will investigate this properly and issue a
fix if necessary



  • Kevin Campbell

    Kevin Campbell - 2006-05-24

    Logged In: YES

    Moving this to the 2.0.9 release. It should be the case that
    2.1 is not vulnerable, given that unicode strings should be
    used throughout the code internally. Python will not allow
    the creation of a unicode string which will translate into
    0xc8 ' as there is no unicode code point which translates
    into that value in utf-8 (it is an invalid utf-8 string).

    The updated SQL wrapper in 2.1 will correct the issue if
    backported to 2.0. Any SQL calls which manually encode data
    will still need audited. This specifically means any SQL
    queries which are not from dtml code stored in the sql/v2_x
    directory on disk.

    If exploited, the vulnerability

  • Kevin Campbell

    Kevin Campbell - 2006-05-24
    • milestone: 595434 --> v2.0.9
  • Kevin Campbell

    Kevin Campbell - 2006-05-24

    Logged In: YES

    The following ZSQL Method which is hardcoded into
    MailManager appears to be vulnerable. This may be a problem
    to replace as it may be accessed directly through the web
    interface, and cannot be put through the SQL wrapper.

    manage_addZSQLMethod(self, id='account', title='',
    template='SELECT * '
    'FROM <dtml-var
    schema>mm_account '
    'WHERE <dtml-sqltest
    email type=nb>')

  • Kevin Campbell

    Kevin Campbell - 2006-05-24

    Logged In: YES

    Broken second reply to this bug should read

    If exploited, the vulnerability will allow access to the
    admin user. Escalation to access the underlying operating
    system should not be possible, and any attacker should still
    be contained within the zope process.

  • Kevin Campbell

    Kevin Campbell - 2006-05-24

    Logged In: YES

    There is now a premliminary fix in SVN. The web interface
    still needs directly tested to ensure:

    * Direct access to http://.../ticket/id still works
    correctly, similar for account and attachment
    * That direct access is restricted to authenticated users
    with the correct permissions

  • Kevin Campbell

    Kevin Campbell - 2006-05-25

    Logged In: YES

    This may also need a binary wrapper for the MySQL database
    adapter, so that we can discern between utf-8 strings and
    binary data which should not be translated. If MySQL is not
    affected (if it treats all data as ascii), then the fix in
    the sql later should be made specific to postgres.

  • Kevin Campbell

    Kevin Campbell - 2006-05-26
    • status: open --> closed-fixed
  • Kevin Campbell

    Kevin Campbell - 2006-05-26

    Logged In: YES

    Fixed in both 2.0.10 and 2.1-rc4


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks