It literally is working as documented. You can disagree with that design (IMO a bad argument, because the ability to extend postgres with additional functionality at runtime is a significant reason for its success). But that does NOT make it a security issue.
-
-
Replying to @AndresFreundTec @Jacob_Wilkin
Claiming it as a remotely exploitable security issue is just disingenuous bullshit. You could just have blogged about a, in your view, poor design choice and that'd be entirely fair game.
1 reply 0 retweets 5 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
Seriously, we allow superusers to do all kind of things. Execute user defined functions in languages running without sandboxes (there's also sandboxed languages, which non-superusers can use). Create new base types, which rely on C functions in extension libraries. DROP all data.
1 reply 1 retweet 3 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
What you're saying is that, despite all that being documented, it's a security issue that we allow it. That just doesn't make sense.
1 reply 0 retweets 2 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
IOW: Don't give superusers permissions to users that don't need it, and don't run your applications as a superuser.
0 replies 2 retweets 7 likes -
Replying to @Jacob_Wilkin
You got a CVE for it. Describing a design disagreement / feature wish as a security vulnerability.
1 reply 0 retweets 0 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
It certainly sounds like a pretty bad abuse of the cve system, which is designed to help people track actual vulnerabilities. For clicks? Or something else? At least it is costing many hours of work from unpaid volunteers, there is that...
2 replies 3 retweets 11 likes -
The actual vulnerability here is the security researcher DoS'ing a lot of database engineers and dba's who could've done something productive today
0 replies 3 retweets 11 likes
Oh, and btw, xp_cmdshell can just be remotely enabled using a privileged account. So there's simply no difference in the exposure MSSQL and PG have. Oracle also has a similar feature.https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017 …
-
-
Presumably the CVEs against those are in the process of being filed as well. When they are, could you share the numbers with us so we can reference them in communication?
1 reply 3 retweets 3 likes -
Nah, Oracle would just sue for defamation.
1 reply 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.