HomeForumsBugs

Fail to block query pattern with ".*"

1 reply
Thu, 07/09/2009 - 04:45
yukikwan
yukikwan's picture
Joined: 02/23/2009
User offline. Last seen 35 weeks 23 hours ago.

Dear sir/madam,

We are using GreenSQL latest version 1.0.0 released on Linux. We found problems that if the query pattern contains ".*", GreenSQL fails to block the problem query and always bypass it even query contains SQL Injection pattern:

Failure to block SQL Injection query:
e.g. 1)
select bi.* from brc_book_info as bi, brc_book_info_relation as bir where bi.status = 1 and bir.brc_book_info_id = bi.brc_book_info_id and bir.type = 'brc_function' and bir.relation_id = 8 and substring(@@version,1)=4/* order by bi.order_name asc limit 0, 10000

Successfully blocked SQL Injection query:
e.g.1)
select * from brc_book_info as bi, brc_book_info_relation as bir where bi.status = 1 and bir.brc_book_info_id = bi.brc_book_info_id and bir.type = 'brc_function' and bir.relation_id = 8 and substring(@@version,1)=4/* order by bi.order_name asc limit 0, 10000

e.g.2)
select bi.order_name from brc_book_info as bi, brc_book_info_relation as bir where bi.status = 1 and bir.brc_book_info_id = bi.brc_book_info_id and bir.type = 'brc_function' and bir.relation_id = 8 and substring(@@version,1)=4/* order by bi.order_name asc limit 0, 10000

Any solutions and suggestions for this problems? Please advise. Thanks!

Regards,
Yuki

Top
Fri, 07/10/2009 - 13:49
#1
yuli
yuli's picture
Joined: 01/30/2008
User offline. Last seen 21 hours 16 sec ago.

Hello Yuki

Thank you for posting this bug report.
This bug will be fixed ASAP.

Yuli

Top

Back to top