New SQL Injection Technique Threatens Oracle Databases
Dennis Fisher writes on SearchSecurity:
Database security expert David Litchfield has devised a new method of exploiting various PL/SQL procedures that do not take any input. The technique, which he describes as lateral SQL injection, can be used to compromise Oracle databases remotely.More here.
The attack exploits some common data types, including DATE and NUMBER, which do not take any input from the user and so are not normally considered to be exploitable. But, as Litchfield writes in his new paper [.pdf] on the lateral injection attack , using a bit of creative coding and some knowledge of the way the Oracle database management system works, an attacker can manipulate some common functions.
Litchfield, one of the founders of NGS Software Inc., of Surrey, England, says that the problem may not turn out to be easily exploitable in the wild, but that in specific cases it can be used to pass arbitrary SQL commands to the database.
0 Comments:
Post a Comment
<< Home