|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Oracle WebDb engine brain-damagse
From: Michal Zalewski (lcamtuf
DIONE.IDS.PL)Date: Thu Dec 21 2000 - 19:10:44 CST
- Next message: Ken Raeburn: "Re: SRP is being patented - don't be so quick to use it."
- Previous message: Hal Flynn: "Zope DTML Role Issue"
- In reply to: McAllister, Andrew: "Re: Oracle WebDb engine brain-damagse"
- Next in thread: sporty o'one: "Re: Oracle WebDb engine brain-damagse"
- Next in thread: Kuznetsov, Vasily: "Re: Oracle WebDb engine brain-damagse"
- Reply: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Reply: sporty o'one: "Re: Oracle WebDb engine brain-damagse"
- Reply: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 20 Dec 2000, McAllister, Andrew wrote:
> This is not to say that you can't issue some dangerous commands as you
> suggest, just that you won't see any data as a result. Also, I believe
> that only data manipulation commands will work in this context e.g.
> delete, update, insert. I don't believe definition commands will work,
> e.g. drop, create. Again I don't have WebDB, so I cannot verify.
I believe you can do at least one of these possibilities:
- SELECT <pattern> INTO <sth> FROM <table> to move sensitive data
from some private table to publicly available tables used eg. for
direct contents rendering,
- call WebDB output procedures to produce output (you can use full
PL/SQL language syntax, including loops, declarations etc).
> I don't know this product well enough to say the above query will
> work, but I know of a similar, non-oracle, product that behaves
> exactly as Michal Zalewski describes. That product vendor was notified
> moments ago of Michal Zalewski's discovery /.../
Any hints?:)
-- _______________________________________________________ Michal Zalewski [lcamtuf
- Next message: Ken Raeburn: "Re: SRP is being patented - don't be so quick to use it."
- Previous message: Hal Flynn: "Zope DTML Role Issue"
- In reply to: McAllister, Andrew: "Re: Oracle WebDb engine brain-damagse"
- Next in thread: sporty o'one: "Re: Oracle WebDb engine brain-damagse"
- Next in thread: Kuznetsov, Vasily: "Re: Oracle WebDb engine brain-damagse"
- Reply: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Reply: sporty o'one: "Re: Oracle WebDb engine brain-damagse"
- Reply: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]