RE: New form of sql injection hack documented
Date: Mon, 28 Apr 2008 11:13:32 -0400
As well it should. An execute immediate in an anonymous PL/SQL block to rebuild indexes or the like is OK, but not in stored code since it's subject to much abuse. Pity that many of the third party vendors are not as wise.
Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752
Together: the Collaborative Business Experience
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Robert Freeman Sent: Monday, April 28, 2008 12:40 AM
To: david_at_david-aldridge.com; oracle-l_at_freelists.org Subject: Re: New form of sql injection hack documented
and be wary of any dynamic SQL! :-) That execute immediate stuff scares the willies out of me! :)
Robert G. Freeman
Oracle Database 11g New Features (Oracle Press) Portable DBA: Oracle (Oracle Press)
Oracle Database 10g New Features (Oracle Press) Oracle9i RMAN Backup and Recovery (Oracle Press) Oracle9i New Feature
Blog: http://robertgfreeman.blogspot.com (Oracle Press)
- Original Message ---- From: David Aldridge <david_at_david-aldridge.com> To: oracle-l_at_freelists.org Sent: Sunday, April 27, 2008 7:12:24 PM Subject: Re: New form of sql injection hack documented
So long story short ... use bind variables?
- Original Message ---- From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS_at_GE.COM> To: oracle-l_at_freelists.org Sent: Friday, April 25, 2008 10:07:39 AM Subject: New form of sql injection hack documented
FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.
it's an interesting read.
Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
http://www.freelists.org/webpage/oracle-l Received on Mon Apr 28 2008 - 10:13:32 CDT