[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnumed-devel] Re: SQL injection exploits... are we vulnerable?

From: Karsten Hilbert
Subject: [Gnumed-devel] Re: SQL injection exploits... are we vulnerable?
Date: Sun, 15 Apr 2007 20:05:26 +0200
User-agent: Mutt/1.5.13 (2006-08-11)

Hi Jim,

On Sun, Apr 15, 2007 at 10:19:34AM -0700, Jim Busser wrote:
> The vulnerabilities of SQL injection re getting some extra discussion  
> lately, maybe only a "bump" in a known vulnerability on account of  
> browser-based cross-site scripting attacks.
Yes, an attack known-to and recognized-by the GNUmed

Some factoids:

- injection attacks only happen if the values are sent
  in-the-query as opposed to alongside with the query for
  the server to handle
        - which psycopg2 (our database library) does but will change
          in the future at which point GNUmed will gain that extra
          security transparently

- injection attacks only happen on wrongly/unescaped values
  put into queries
        - which GNUmed does not do but rather hands *all* values
          to psycopg2 which does proper escaping (and thereby

So, barring bugs in psycopg2's quoting/escaping algorithm, we
aren't vulnerable. And we will transparently become entirely
invulnerable once psycopg2 starts sending values
out-of-query instead of escaping them into the query.

IOW, we did take due action the minimize the risk.

Thanks for the inquiry, though.

GPG key ID E4071346 @
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346

reply via email to

[Prev in Thread] Current Thread [Next in Thread]