Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Exploits "Safe" Oracle Inputs

Posted by Soulskill on from the it's-safe-until-it-isn't dept.

Trailrunner7 writes "Database security super-genius David Litchfield has found a way to manipulate common Oracle data types, which were not thought to be exploitable, and inject arbitrary SQL commands. The new method shows that you can no longer assume any data types are safe from attacker input, regardless of their location or function. 'In conclusion, even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and prevent this type of vulnerability getting into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper (PDF) has proved, they are,' Litchfield writes."

5 of 118 comments (clear)

  1. Itsatrap! by esocid · · Score: 1, Offtopic

    Come on, do I have to tag this myself?

    --
    Absolute power corrupts absolutely. indymedia
  2. security super-genius by sm62704 · · Score: 0, Offtopic

    Ok, this may be barely on topic (and I've had more on-topic posts than this one modded "offtopic") but the summary describes David Litchfield as a "super-genius". Neither the dictionary nor Wikipedia has entries on "super-genius". Well actually wikipedia does have it listed (linked) but it describes "a flash cartoon flash game flash animation web portal channel and studio" and a rock and roll band.

    The wikipedia entry on IQ does not contain the word "genius", let alone "super-genius".

    So if someone (preferably the super-genius who wrote the summary) can tell me what a "super-genius" is, I'd appreciate it. Actually I'd appreciate it more if submitters and editors wouldn't use jargon that I'm unfamiliar with and can find neither in the dictionary nor wikipedia.

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  3. Re:nTier validation by Joe+U · · Score: 1, Offtopic

    Then the project manager should be lectured on proper development techniques.

  4. Re:nTier validation by EricWright · · Score: 0, Offtopic

    You must have different project managers than I do. Ours our completely obsessed with setting (and missing) milestone dates. They don't care HOW things get done, or even if they're done properly.

    Brother, can you spare a decent PM?

  5. Re:heh by JDizzy · · Score: 0, Offtopic

    Always assume your input is an arbitrary location and length of pi. *joking*

    This is why assuming a datatype, even the ones advertised as constant, or immutable (strongly typed), are bad.

    I might be missing some DBA jargon here though, about schema types, instead of language.

    --
    It isn't a lie if you belive it.