Vulnerability Development mailing list archives
Perl / Oracle Vuln. New or Not?
From: Simon Kenton <simon_k () MAILANDNEWS COM>
Date: Tue, 5 Dec 2000 15:12:45 -0500
I came across an interesting bug / vulnerability while testing some web code for a client. The system is running Solaris 2.6, Netscape Enterprise Server, and is using Perl to interface with a Oracle database. Feeding the web form about 40,000 characters seems to kill oracle with the following error. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. If I enter a little more than 80,000 characters either the oracle, or perl thread dies altogether, and I get a page unreachable error. Has anyone seen this before? -Simon ------------------------------ Simon Kenton Folk Hero To The Stars ------------------------------
Current thread:
- Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 06)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)
- Re: Perl / Oracle Vuln. New or Not? Tom Jordan (Dec 09)
- <Possible follow-ups>
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 08)
- Re: Perl / Oracle Vuln. New or Not? Lincoln Yeoh (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)