HomeForumsBugs
 Database Security. Database Auditing. Database Caching. Database Masking. Get it now

Fail to block query pattern with ".*"

Posted July 9th, 2009 by yukikwan
in

Dear sir/madam,

We are using GreenSQL latest version 1.0.0 released on Linux. We found problems that if the query pattern contains ".*", GreenSQL fails to block the problem query and always bypass it even query contains SQL Injection pattern:

Failure to block SQL Injection query:
e.g. 1)
select bi.* from brc_book_info as bi, brc_book_info_relation as bir where bi.status = 1 and bir.brc_book_info_id = bi.brc_book_info_id and bir.type = 'brc_function' and bir.relation_id = 8 and substring(@@version,1)=4/* order by bi.order_name asc limit 0, 10000

Successfully blocked SQL Injection query:
e.g.1)
select * from brc_book_info as bi, brc_book_info_relation as bir where bi.status = 1 and bir.brc_book_info_id = bi.brc_book_info_id and bir.type = 'brc_function' and bir.relation_id = 8 and substring(@@version,1)=4/* order by bi.order_name asc limit 0, 10000

e.g.2)
select bi.order_name from brc_book_info as bi, brc_book_info_relation as bir where bi.status = 1 and bir.brc_book_info_id = bi.brc_book_info_id and bir.type = 'brc_function' and bir.relation_id = 8 and substring(@@version,1)=4/* order by bi.order_name asc limit 0, 10000

Any solutions and suggestions for this problems? Please advise. Thanks!

Regards,
Yuki

‹ You had successfully bypassed GreenSQL protection. Please share your experience in the support forum. greensql console proxy_add.php showing source ›

Comments

Hello Yuki Thank you for

On July 10th, 2009 yuli says:

Hello Yuki

Thank you for posting this bug report.
This bug will be fixed ASAP.

Yuli

Back to top