RE: New form of sql injection hack documented

• From: "Goulet, Dick" <richard.goulet@xxxxxxxxxxxxx>
• To: <MATT.ADAMS@xxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Fri, 25 Apr 2008 13:21:59 -0400

I'm quite sure that David catches a lot of hate mail about his papers,
probably from the hackers out there.  But one very smart person in my
life once said that the only "safe" database is one that has nothing in
it, which is still true today.  The one item that I take from all of
David's findings is that we should never look at code as doing what we
intended it to do, put as what could someone else make it do.  I know a
lot of people think that hackers are all outside the firewall which is
false.  The greatest threat to your database is the person in the cube
next to you who has access to it.

 

I believe that David is a member of the list & consequently thank him
for the revelations.

 

______________________________________________________________
Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com
Fax: 508.229.2019 /  Email: richard.goulet@xxxxxxxxxxxxx
45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience 
______________________________________________________________

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Adams, Matthew (GE
Indust, ConsInd)
Sent: Friday, April 25, 2008 10:08 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: New form of sql injection hack documented

 

FYI 

yesterday,   david litchfield released a paper describing how a sql
injection attack could be done on a pl/sql routine that does dynamic
statement creation, even if the routine has no parameters and no user
interaction.

it's an interesting read. 

http://www.davidlitchfield.com/blog/archives/00000041.htm
<http://www.davidlitchfield.com/blog/archives/00000041.htm>  

 

---- 
Matt Adams - GE Consumer and Industrial 
Database Administration 
It will make sense as soon as you stop thinking logically 
and start thinking oracle-ly.  - Jim Droppa 







This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is 
intended only for the person to whom it is addressed. If you are not the 
intended recipient, you are not authorized to 
read, print, retain, copy, disseminate, distribute, or use this message or any 
part thereof. If you receive this message 
in error, please notify the sender immediately and delete all copies of this 
message.

• Follow-Ups:
  • RE: New form of sql injection hack documented
    • From: Mercadante, Thomas F (LABOR)

Other related posts:

• » New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » RE: New form of sql injection hack documented
• » RE: New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » RE: New form of sql injection hack documented

1. Home
2. oracle-l
3. Archive
4. 04-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---