Two vulnerabilities have been reported in PostgreSQL, which potentially can be exploited by malicious people to conduct SQL injection attacks.

The vulnerabilities are caused due to the differences in the way PostgreSQL server and non encoding-aware applications interpret SQL query strings that contain certain multi-byte characters. A non encoding-aware application may insert escape characters into a malicious query string (e.g. to escape single-quote or backslash characters), without realizing that the escape characters will be interpreted as part of a multi-byte character sequence by the server. This can be exploited to conduct SQL injection attacks by injecting certain multi-byte characters into the query string.

Successful exploitation allows bypassing of SQL injection escaping code that are implemented in non encoding-aware applications.

The vulnerabilities have been reported in the 7.3, 7.4, 8.0 and 8.1 branch.

Solution
Update to the fixed versions.
Further details available to Secunia VIM customers

Provided and/or discovered by
The vendor credits Akio Ishida and Yasuo Ohgaki.

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://archives.postgresql.org/pgsql-announce/2006-05/msg00010.php
http://www.postgresql.org/docs/techdocs.50
http://www.postgresql.org/docs/8.1/static/release-7-3-15.html
http://www.postgresql.org/docs/8.1/static/release-7-4-13.html
http://www.postgresql.org/docs/8.1/static/release-8-0-8.html
http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-4

Deep Links
Links available to Secunia VIM customers