|
|
|
|
|
|
by neuralkoi
494 days ago
|
|
|
But also this: "Running meta-commands can extend psql's functionality, and it's through these that an attacker can feasibly achieve ACE by using the exclamation mark meta-command to execute a shell command on the operating system. Attackers can also use the vulnerability to execute SQL statements of their choosing." I don't know PostgreSQL very well, but being able to execute shell commands by default seems like an obvious footgun. |
|
|
I've been keeping a casual eye on sql injection stuff, and unicode escaping seems to be a source of problems.