pw_pgsql_connect function does not properly sanitize SQL queries, leading to SQLi via the
pgsql config file.
No CVE assigned
Development version - master branch (Feb 20, 2020)
Details: Broken SQL sanitizer in
pw_pgsql_connect (SQLi via config file)
Two different bugs have been detected:
- There is a mistake in
pw_pgsql_escape_conninfo_for the case ‘\’ here. The current code snippet is re-introducing the single-quote.
snprintffunction is called with non-escaped strings (
pw), instead of using escaped strings (
escaped_pw) here. As a result,
conninfostring is not being properly sanitized and it is possible to inject SQL code into this query.
This issue may lead to a local SQLi via
pqsql config file.
Coordinated Disclosure Timeline
This report is subject to our coordinated disclosure policy.
- 20/02/2020: Report sent to Vendor
- 16/03/2020: Vendor acknowledged report
- 16/03/2020: Fixes reviewed and verified
- 17/03/2020: Report published to public
- Bug1.png: 1st Vulnerable code snippet
- Bug2.png: 2nd Vulnerable code snippet
- Step1.png: Configuration file example
- Step2.png: “conninfo” string value (GDB)
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-031 in any communication regarding this issue.