 |
 |
 |
|
04.30.08 New Oracle Hack  By Dan Morrill Never assume anything, now you can't trust even typed data with oracle. SQL injections are all over the Internet last week, and Security Researcher David Litchfield has published a paper on a new Oracle hack using date and number data types. The paper on the attack method can be found here and was published on Thursday. You can read the paper here. In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types. Source: Computer World There is a sense of irony here that databases and injection attacks are all the rage again, as databases in the past have seemingly gone through various iterations of being vulnerable since the acoustic modem was invented and people just didn't seem to put passwords on anything at all. Since then we have seen attacks against database systems culminating in the SQL Blaster, but now we are very deep into the whole idea of subverting exposed calls, and making those calls do neat and interesting things.
Oracle to date didn't have a specific hack, this is what makes Davids paper worth the read, the two data types, Number and Date previously were thought to not be an issue. The question though that should be perking up through the ranks is if Oracle which uses the same standards body as any relational database has this issue, is the same issue present in Microsoft SQL Server, IBM's database system and MySQL along with a number of smaller less used databases. Read the paper, could be interesting in the longer run. Comments About the Author: Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. |
|
| ||
| -- DatabaseProNews is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 © 2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
