Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Yet Another aaS: Crimeware as a Service (CaaS) | Main | Privacy Mandates, Search Engines and You »

Lateral Injection Attack in Oracle

David Litchfield has discovered a way to exploit what is generally considered safe data type (DATE) which he calls lateral injection. It's a clever exploit but it can be blocked with reasonable precautions.

The exploit is described in a recent paper by Litchfield. By manipulating NLS_DATE_FORMAT, which requires ALTER SESSION privilege, an attacker can inject non-date strings into a variable of type DATE. That with a little dynamically evaluated code and the attack is under way.

Minimizing privileges, dynamically generated code and auditing what we used to consider safe code. Litchfield concludes the paper with:

The lesson here is always, always validate and don't let this type of vulnerability get into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper has proved, they are.
Tags:      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on April 25, 2008 8:14 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/715

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net