Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Exploits "Safe" Oracle Inputs

Posted by Soulskill on from the it's-safe-until-it-isn't dept.

Trailrunner7 writes "Database security super-genius David Litchfield has found a way to manipulate common Oracle data types, which were not thought to be exploitable, and inject arbitrary SQL commands. The new method shows that you can no longer assume any data types are safe from attacker input, regardless of their location or function. 'In conclusion, even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and prevent this type of vulnerability getting into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper (PDF) has proved, they are,' Litchfield writes."

3 of 118 comments (clear)

  1. nTier validation by Joe+U · · Score: 5, Insightful

    The 3 minimum levels of validation:

    Validate at the client tier. (To save a return trip)
    Validate at the application server tier. (to save a database trip)
    Validate at the data tier. (to save your data)

    Why is this so hard for developers to understand?

  2. From comic to reality by GoNINzo · · Score: 5, Funny

    This makes it clear it's only a matter of time before xkcd predictions become reality.

    --
    Gonzo Granzeau
    "Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
  3. Re:DB Programming 101? by 0racle · · Score: 5, Insightful

    People learn database programming now? I thought they just threw together whatever SQL and PHP they could find online and called themselves programmers.

    --
    "I use a Mac because I'm just better than you are."