OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Oracle WebDb engine brain-damagse
From: Kuznetsov, Vasily (VKuznetsovMICROTEST.RU)
Date: Thu Dec 21 2000 - 00:43:39 CST

> -----Original Message-----
> From: McAllister, Andrew [mailto:McAllisterAumsystem.edu]
> Sent: Thursday, December 21, 2000 3:47 AM
> To: BUGTRAQsecurityfocus.com
> Subject: Re: [BUGTRAQ] Oracle WebDb engine brain-damagse
...
>
> I'm not sure that a select would work as I believe that the
> query is running
> inside a PL/SQL prepared statement where output is not sent
> to stdout, i.e.
> the browser. In other words I believe your statement is
> translated into
> something like:
>
> begin
> some_webdb_standard_stored_procedre_call;
> select * from (tablename);
> end;
>
Looks same to me
> This is not to say that you can't issue some dangerous commands as you
> suggest, just that you won't see any data as a result. Also,
Attacker could probably use standard WebDB means of output to
get the data to his browser. something like

for i in (select...) loop
        some_web_db_output_proc(...);
end loop;

would probably do the trick.

> I believe that
> only data manipulation commands will work in this context e.g. delete,
> update, insert. I don't believe definition commands will
> work, e.g. drop,
> create. Again I don't have WebDB, so I cannot verify.
DDL commands can probably be issued via execute immediate,
although I too don't have WebDB around to check.

Vasily Kuznetsov