New form of sql injection hack documented

From: Adams, Matthew (GE Indust, ConsInd) <MATT.ADAMS_at_GE.COM>
Date: Fri, 25 Apr 2008 10:07:39 -0400
Message-ID: <9B91048922998049A2BED0F0745FB4A905194C9D@LOUMLVEM03.e2k.ad.ge.com>

FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.

it's an interesting read.

http://www.davidlitchfield.com/blog/archives/00000041.htm

Matt Adams - GE Consumer and Industrial
Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa

--

http://www.freelists.org/webpage/oracle-l Received on Fri Apr 25 2008 - 09:07:39 CDT

This message: [ Message body ]
Next message: Mayen.Shah_at_lazard.com: "why do I need dbcontrol?"
Previous message: David Barbour: "Re: Is it possible to add existing datafiles to an oracle database?"
Next in thread: rjamya: "Re: New form of sql injection hack documented"
Reply: rjamya: "Re: New form of sql injection hack documented"
Maybe reply: Goulet, Dick: "RE: New form of sql injection hack documented"
Maybe reply: David Aldridge: "Re: New form of sql injection hack documented"
Maybe reply: Robert Freeman: "Re: New form of sql injection hack documented"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message