----------------------------------------------------------------------

Did you know? Our assessment and impact rating along with detailed
information such as exploit code availability, or if an updated patch
is released by the vendor, is not part of this mailing-list?
        
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
        
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/

----------------------------------------------------------------------

TITLE:
PostgreSQL Planner Low Cost Functions Information Disclosure

SECUNIA ADVISORY ID:
SA34206

VERIFY ADVISORY:
http://secunia.com/advisories/34206/

DESCRIPTION:
A weakness has been reported in PostgreSQL, which can be exploited by
malicious users to disclose potentially sensitive information.

The weakness is caused due to an error within PostgreSQL's planner
when executing low cost functions in combination with views. This can
be exploited to e.g. disclose the content of columns intended to be
inaccessible by the view by creating and using a low cost function
containing e.g. the "raise" statement.

The weakness is confirmed in version 8.3.6. Other versions may also
be affected.

SOLUTION:
Do not allow untrusted users to create own functions.

PROVIDED AND/OR DISCOVERED BY:
Andres Freund

ORIGINAL ADVISORY:
http://archives.postgresql.org/pgsql-hackers/2009-02/msg00861.php

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------