Re: Paper: Snarfing attacks in Oracle DBMS_XMLGEN applications
Date: Fri, 8 Nov 2013 21:43:18 -0000
Message-ID: <2F4D6D4F913E4B36B0AB20A8C9C56020_at_NAUTILUS>
As you say, you get it :) I think anyone who’s is interested enough to read it is going to understand the difference between definer/invoker rights procedures and understand. I didn’t want to add any unncessary sql but perhaps you’re right. It may be worth doing. Cheers,
David
From: Paresh Yadav
Sent: Friday, November 08, 2013 4:45 PM
To: david_at_databasesecurity.com
Cc: ORACLE-L
Subject: Re: Paper: Snarfing attacks in Oracle DBMS_XMLGEN applications
Hi David,
I haven't worked with DBMS_XMLGEN. Being on a slow Friday, I decided to check your while paper :). Thanks for sharing. I get the demo however.
In order to get the point across I think you might be better off demonstrating that the user won't be able to access the same data without using context handle. In your case it is possible for the user to execute the same/simillar SQL with 'MANGER' as the parameter without using the context handle. How about using context handle to access data from a table that the user doesn't have direct access to i.e. the user can get the data only by using a context defined in a package?
Thanks
Paresh
416-688-1003
On Fri, Nov 8, 2013 at 3:59 AM, <david_at_databasesecurity.com> wrote:
Hello all,
I’ve noted a weakness in the way DBMS_XMLGEN generates context handles. Due to this weakness it may be possible to gain access to sensitive data using a snarfing attack. Of course, this is totally dependent upon the application in question. You can get the paper here: http://www.davidlitchfield.com/Snarfing_attacks_in_DBMS_XMLGEN_Applications.pdf
Cheers!
David
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Nov 08 2013 - 22:43:18 CET