[18315] in bugtraq
Re: Oracle WebDb engine brain-damagse
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Fri Dec 22 05:19:00 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012220207210.25893-100000@dione.ids.pl>
Date: Fri, 22 Dec 2000 02:10:44 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: "McAllister, Andrew" <McAllisterA@UMSYSTEM.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <D6F9BFB17375D3118C59006094516E99D5B248@UM-MAIL02>
On Wed, 20 Dec 2000, McAllister, Andrew wrote:
> This is not to say that you can't issue some dangerous commands as you
> suggest, just that you won't see any data as a result. Also, I believe
> that only data manipulation commands will work in this context e.g.
> delete, update, insert. I don't believe definition commands will work,
> e.g. drop, create. Again I don't have WebDB, so I cannot verify.
I believe you can do at least one of these possibilities:
- SELECT <pattern> INTO <sth> FROM <table> to move sensitive data
from some private table to publicly available tables used eg. for
direct contents rendering,
- call WebDB output procedures to produce output (you can use full
PL/SQL language syntax, including loops, declarations etc).
> I don't know this product well enough to say the above query will
> work, but I know of a similar, non-oracle, product that behaves
> exactly as Michal Zalewski describes. That product vendor was notified
> moments ago of Michal Zalewski's discovery /.../
Any hints?:)
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
