Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

+-   New attack exploits 'unexploitable' Oracle inputs-> on Friday April 25 2008, @08:10AM Trailrunner7

Submitted by Trailrunner7 on Friday April 25 2008, @08:10AM
security
Trailrunner7 writes "SearchSecurity.com is reporting that database security supergenius David Litchfield has found a way to manipulate common Oracle data types that were thought to be safe and inject arbitrary SQL commands. The new method shows that you can no longer assume any data types are safe from attacker input, regardless of their location or function. "In conclusion, even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and prevent this type of vulnerability getting into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper has proved, they are," he writes."
Link to Original Source
submission
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

New attack exploits 'unexploitable' Oracle inputs 0 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
Search
Vail's Second Axiom: The amount of work to be done increases in proportion to the amount of work already completed.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.