Ultimate Web Site Drop Down Menu Forum

Ultimate Web Site Drop Down Menu Forum (http://www.udm4.com/forum/index.php)
-   General Web Trends and News (http://www.udm4.com/forum/forumdisplay.php?f=10)
-   -   New Attack Exploits "Safe" Oracle Inputs (http://www.udm4.com/forum/showthread.php?t=1257)

04-25-2008 09:14 PM
New Attack Exploits "Safe" Oracle Inputs
 
Trailrunner7 writes "Database security super-genius David Litchfield has found a way to manipulate common Oracle data types, which were not thought to be exploitable, and inject arbitrary SQL commands. The new method shows that you can no longer assume any data types are safe from attacker input, regardless of their location or function. Litchfield wrote, "In conclusion, even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and prevent this type of vulnerability getting into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper[PDF] has proved, they are," he writes."http://developers.slashdot.org/slash.../04/25/1840219
Read more of this story at Slashdot.
http://rss.slashdot.org/~a/Slashdot/...opers?i=exZ5fa</img>


More...


All times are GMT. The time now is 04:12 PM.

Powered by vBulletin® Version 3.0.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.