RE: New form of sql injection hack documented
Date: Fri, 25 Apr 2008 13:59:28 -0400
I cheer David on for exposing this stuff to the light of day. It's better if we all know about it and act upon the knowledge rather than have to "discover" it by debugging an attack.
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Goulet, Dick
Sent: Friday, April 25, 2008 1:22 PM
To: MATT.ADAMS_at_GE.COM; oracle-l_at_freelists.org Subject: RE: New form of sql injection hack documented
I'm quite sure that David catches a lot of hate mail about his papers, probably from the hackers out there. But one very smart person in my life once said that the only "safe" database is one that has nothing in it, which is still true today. The one item that I take from all of David's findings is that we should never look at code as doing what we intended it to do, put as what could someone else make it do. I know a lot of people think that hackers are all outside the firewall which is false. The greatest threat to your database is the person in the cube next to you who has access to it.
I believe that David is a member of the list & consequently thank him for the revelations.
Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752
Together: the Collaborative Business Experience
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Adams, Matthew (GE
Sent: Friday, April 25, 2008 10:08 AM
Subject: New form of sql injection hack documented
FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.
it's an interesting read.
Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.Received on Fri Apr 25 2008 - 12:59:28 CDT