[Pkg-nagios-devel] Bug#641684: Quote character not escaped correctly for Postgresql

David Tulloh david at tulloh.id.au
Thu Sep 15 07:53:14 UTC 2011 

Package: icinga-idoutils
Version: 1.5.1-1
Severity: normal

IDO utils is incorrectly escaping characters such as ' for postgresql.

>From the postgresql logs (running 9.1):
2011-09-15 17:12:18 EST ERROR:  syntax error at or near "5" at character 184
2011-09-15 17:12:18 EST STATEMENT:  UPDATE icinga_servicestatus SET
instance_id=1, service_object_id=201,
status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5
min average)', long_output='', perfdata='\'5 min avg
Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1,
should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4,
last_check=FROM_UNIXTIME(1316070728),
next_check=FROM_UNIXTIME(1316071028), check_type=0,
last_state_change=FROM_UNIXTIME(1315926986),
last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0,
last_time_ok=FROM_UNIXTIME(1316070728),
last_time_warning=FROM_UNIXTIME(1315926926),
last_time_unknown=FROM_UNIXTIME(0),
last_time_critical=FROM_UNIXTIME(1315815967), state_type=1,
last_notification=FROM_UNIXTIME(0),
next_notification=FROM_UNIXTIME(0), no_more_notifications=0,
notifications_enabled=1, problem_has_been_acknowledged=0,
acknowledgement_type=0, current_notification_number=0,
passive_checks_enabled=1, active_checks_enabled=1,
event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0,
percent_state_change='0.000000', latency='0.816000',
execution_time='0.190820', scheduled_downtime_depth=0,
failure_prediction_enabled=1, process_performance_data=1,
obsess_over_service=1, modified_service_attributes=0,
event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90',
normal_check_interval='5.000000', retry_check_interval='1.000000',
check_timeperiod_object_id=174 WHERE service_object_id=201

Running the command manually, sanitized and a few minutes after the logged run:
> /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90 -s XXXX -p 12489
CPU Load 21% (5 min average) |   '5 min avg Load'=21%;80;90;0;100

Browsing the source it looks like escaping is done in db.c:2335
ido2db_db_escape_string() by adding a \ in front of a ' character.
Which is causing the problems, I believe postgresql wants a '' instead
of a \'.

It should however be done properly using libpq's PQescapeLiteral.  It
also protects against multibyte SQL injection attacks that the
previous method doesn't.  Chris Shiflett did a decent writeup of this
problem several years ago [1], the vulnerability looks to extend to
all the databases in use.

[1]: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string


David

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable
  APT policy: (800, 'stable'), (750, 'testing'), (600, 'unstable'),
(500, 'oldstable'), (150, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.39+ (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages icinga-idoutils depends on:
ii  dbconfig-common            1.8.47        common framework for packaging dat
ii  debconf [debconf-2.0]      1.5.36.1      Debian configuration management sy
ii  icinga-common              1.5.1-1       host and network monitoring system
ii  libc6                      2.13-18       Embedded GNU C Library: Shared lib
ii  libdbd-mysql               0.8.3-1+s-2.1 MySQL database server driver for l
ii  libdbd-pgsql               0.8.3-1+s-2.1 PostgreSQL database server driver
ii  libdbi1                    0.8.4-5.1     DB Independent Abstraction Layer f
ii  lsb-base                   3.2-28        Linux Standard Base 3.2 init scrip
ii  ucf                        3.0025+nmu2   Update Configuration File: preserv

Versions of packages icinga-idoutils recommends:
ii  mysql-client-5.1 [mysql-clien 5.1.49-3   MySQL database client binaries
ii  postgresql-client             9.1+121    front-end programs for PostgreSQL
ii  postgresql-client-9.0 [postgr 9.0.4-2    front-end programs for PostgreSQL
ii  postgresql-client-9.1 [postgr 9.1~rc1-3  front-end programs for PostgreSQL

icinga-idoutils suggests no packages.

-- debconf information:
  icinga-idoutils/dbconfig-upgrade: true
  icinga-idoutils/mysql/method: unix socket
  icinga-idoutils/db/dbname: icinga
  icinga-idoutils/dbconfig-remove:
  icinga-idoutils/missing-db-package-error: abort
  icinga-idoutils/install-error: retry
  icinga-idoutils/pgsql/authmethod-admin: ident
  icinga-idoutils/pgsql/admin-user: postgres
  icinga-idoutils/internal/reconfiguring: false
  icinga-idoutils/purge: false
  icinga-idoutils/pgsql/changeconf: false
  icinga-idoutils/db/basepath:
  icinga-idoutils/database-type: pgsql
  icinga-idoutils/upgrade-error: abort
  icinga-idoutils/pgsql/method: unix socket
  icinga-idoutils/remote/port:
  icinga-idoutils/internal/skip-preseed: true
  icinga-idoutils/dbconfig-reinstall: false
  icinga-idoutils/upgrade-backup: true
  icinga-idoutils/remove-error: abort
* icinga-idoutils/dbconfig-install: false
  icinga-idoutils/pgsql/manualconf:
  icinga-idoutils/passwords-do-not-match:
  icinga-idoutils/pgsql/authmethod-user: password
  icinga-idoutils/pgsql/no-empty-passwords:
  icinga-idoutils/db/app-user: icingaidoutils
  icinga-idoutils/remote/host:
  icinga-idoutils/mysql/admin-user: root
  icinga-idoutils/remote/newhost:

More information about the Pkg-nagios-devel mailing list