|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Perl / Oracle Vuln. New or Not?
From: Tom Jordan (tjordan
DOIT.WISC.EDU)Date: Thu Dec 07 2000 - 10:50:29 CST
- Next message: Lincoln Yeoh: "Re: Perl / Oracle Vuln. New or Not?"
- Previous message: White Vampire: "Re: Naptha - New DoS"
- In reply to: H D Moore: "Re: Perl / Oracle Vuln. New or Not?"
- Next in thread: Simon Kenton: "Re: Perl / Oracle Vuln. New or Not?"
- Reply: Tom Jordan: "Re: Perl / Oracle Vuln. New or Not?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Not sure this is a vulnerability so much as it is a need to do error
checking. If you're using DBD::Oracle, the reserved read and write buffers
are very small (on the order of 80 bytes or so). These buffers can be
configured to be larger if necessary. This is all, of course, independent
of the field size you've got declared in the database.
Either way, if the database reports an error in size it's the perl
programmer's job to handle that gracefully. If using DBI, PrintError and
RaiseError will help you do this.
--Tom
On Tue, 5 Dec 2000, H D Moore wrote:
> Hi,
>
> I am seen a similar situation with Sybase. The issue is really that the perl
> script exists when the database module recieves an unexpected error. The
> database is coming back and saying the field is too long, but the perl DBD
> module doesn't know how to handle it, so it just exits. If the actual Oracle
> server dies, then you may have a serious problem.
>
> -HD
>
> http://www.digitaldefense.net (work)
> http://www.digitaloffense.net (play)
>
> On Tuesday 05 December 2000 02:12 pm, Simon Kenton wrote:
> > I came across an interesting bug / vulnerability while testing some web
> > code for a client. The system is running Solaris 2.6, Netscape Enterprise
> > Server, and is using Perl to interface with a Oracle database. Feeding the
> > web form about 40,000 characters seems to kill oracle with the following
> > error.
> >
> >
> > DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD
> > ERROR: OCIStmtExecute/Describe) at
> > /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db
> > prepare failed: ORA-01704: string literal too long (DBD ERROR:
> > OCIStmtExecute/Describe) at
> > /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db
> > prepare failed: ORA-01704: string literal too long (DBD ERROR:
> > OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm
> > line 183.
> >
> > If I enter a little more than 80,000 characters either the oracle, or perl
> > thread dies altogether, and I get a page unreachable error. Has anyone seen
> > this before?
> >
>
- Next message: Lincoln Yeoh: "Re: Perl / Oracle Vuln. New or Not?"
- Previous message: White Vampire: "Re: Naptha - New DoS"
- In reply to: H D Moore: "Re: Perl / Oracle Vuln. New or Not?"
- Next in thread: Simon Kenton: "Re: Perl / Oracle Vuln. New or Not?"
- Reply: Tom Jordan: "Re: Perl / Oracle Vuln. New or Not?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]