RE: New form of sql injection hack documented

From: Goulet, Dick <richard.goulet_at_capgemini.com>
Date: Fri, 25 Apr 2008 13:21:59 -0400
Message-ID: <746B47FAF6783042B256C0E7CC0795CD02A6FA81@caonmastxm02.na.capgemini.com>

I'm quite sure that David catches a lot of hate mail about his papers, probably from the hackers out there. But one very smart person in my life once said that the only "safe" database is one that has nothing in it, which is still true today. The one item that I take from all of David's findings is that we should never look at code as doing what we intended it to do, put as what could someone else make it do. I know a lot of people think that hackers are all outside the firewall which is false. The greatest threat to your database is the person in the cube next to you who has access to it.

I believe that David is a member of the list & consequently thank him for the revelations.

Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Adams, Matthew (GE Indust, ConsInd)
Sent: Friday, April 25, 2008 10:08 AM
To: oracle-l_at_freelists.org
Subject: New form of sql injection hack documented

FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.

it's an interesting read.

http://www.davidlitchfield.com/blog/archives/00000041.htm <http://www.davidlitchfield.com/blog/archives/00000041.htm>

Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Apr 25 2008 - 12:21:59 CDT

This message: [ Message body ]
Next message: Ken Naim: "Parallel queries"
Previous message: rjamya: "Re: New form of sql injection hack documented"
Maybe in reply to: Adams, Matthew (GE Indust, ConsInd): "New form of sql injection hack documented"
Next in thread: Mercadante, Thomas F (LABOR): "RE: New form of sql injection hack documented"
Reply: Mercadante, Thomas F (LABOR): "RE: New form of sql injection hack documented"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message