Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 7 down vote favorite

I think there is SQL injection vulnerability in an application I'm testing. This is seen when I enter malformed parameters into a search form. All exceptions are shown in format:

PHP raised unknown error: pg_query() [http://php.net/function.pg-query]: Query failed: ERROR: syntax error in tsquery: "query" (more details about error - in log file)

So it looks like that PostreSQL's tsquery function is used. After looking into some situations like:

The Fat & Rats:C

--> ERROR: syntax error in tsquery: "the & fat & & & rats:c"

I think plainto_tsquery is used to convert query into tsquery's format.

To what extent might this vulnerability be exploitable? Is it secure to use those PostgreSQL functions without additonal sanitizing?

share|improve this question
Informative error messages should be disabled and you should verify that the source code doesn't allow for SQL injection and is using bound parameters. – dr jimbob Aug 14 '12 at 19:21
1  
@drjimbob At this point, for this job, yes. That is probably what he should do. But, for future reference, it would be much better if he could learn to break such a weakness so that he can demonstrate the vulnerability to other customers. I'm not saying we give a full-on "how to" on this (perhaps that should be removed from the question itself) - but some guidance as to whether or not it is an indication of an exploitable vulnerability (and to what degree, if determinable from given details), and perhaps some suggestions for further testing, may still be appropriate. – Iszi Aug 14 '12 at 19:25
2  
Edited the question a bit. Hope that helps. – Iszi Aug 14 '12 at 19:29
2  
@drjimbob Understanding how to exploit vulnerabilities is on-topic and doesn't fall under the black hat restriction in the FAQ — this question isn't about how to carry out a specific attack. Besides the FAQ is more exclusive than the consensus on meta, which we are working on fixing. – Gilles Aug 14 '12 at 19:37

1 Answer

up vote 3 down vote

Looking here which sounds pretty similar to what you're seeing, this isn't straight up SQL injection but rather an injection into the query language used in tsquery. Also from the examples that may have been in a similar [closed] question, there was some oddness that didn't strike me as being a standard SQL Injection issue.

So not to say that it's not exploitable in some fashion, but that standard SQL Injection techniques are unlikely to produce useful results.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.