RE: New form of sql injection hack documented

From: Goulet, Dick <richard.goulet_at_capgemini.com>
Date: Mon, 28 Apr 2008 11:13:32 -0400
Message-ID: <746B47FAF6783042B256C0E7CC0795CD02A6FC2F@caonmastxm02.na.capgemini.com>

As well it should. An execute immediate in an anonymous PL/SQL block to rebuild indexes or the like is OK, but not in stored code since it's subject to much abuse. Pity that many of the third party vendors are not as wise.

Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Robert Freeman Sent: Monday, April 28, 2008 12:40 AM
To: david_at_david-aldridge.com; oracle-l_at_freelists.org Subject: Re: New form of sql injection hack documented

and be wary of any dynamic SQL! :-) That execute immediate stuff scares the willies out of me! :)

Robert G. Freeman
Author:
Oracle Database 11g New Features (Oracle Press) Portable DBA: Oracle (Oracle Press)
Oracle Database 10g New Features (Oracle Press) Oracle9i RMAN Backup and Recovery (Oracle Press) Oracle9i New Feature
Blog: http://robertgfreeman.blogspot.com (Oracle Press)

Original Message ---- From: David Aldridge <david_at_david-aldridge.com> To: oracle-l_at_freelists.org Sent: Sunday, April 27, 2008 7:12:24 PM Subject: Re: New form of sql injection hack documented

So long story short ... use bind variables?

Original Message ---- From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS_at_GE.COM> To: oracle-l_at_freelists.org Sent: Friday, April 25, 2008 10:07:39 AM Subject: New form of sql injection hack documented

FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.

it's an interesting read.

http://www.davidlitchfield.com/blog/archives/00000041.htm <http://www.davidlitchfield.com/blog/archives/00000041.htm>

Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

--

http://www.freelists.org/webpage/oracle-l Received on Mon Apr 28 2008 - 10:13:32 CDT

This message: [ Message body ]
Next message: Rich Jesse: "Excluding TBs in RMAN causes retention policy to be ignored"
Previous message: Goulet, Dick: "RE: Oracle 11g CRS, RAC and ASM on Solaris"
In reply to: Robert Freeman: "Re: New form of sql injection hack documented"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message