lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 1 Oct 2004 17:55:30 -0000
From: Brandon Petty <bmpfg8@....edu>
To: bugtraq@...urityfocus.com
Subject: Re: Oracle 9i Union Flaw


In-Reply-To: <20040930224011.21783.qmail@....securityfocus.com>

>A fellow student, here at UMR, has tested the MSAccess 2K/XP Union Flaw 

If you are wondering about the Access Union Flaw... I posted something that was, for the most part, incorrect about Access and how it handles Unions.  There are a few quirks... but nothing that should have been posted.  Mainly, my bad.

I still think that if you are going to union two fields... that the results should not be stored under one of those fields headings if they are different.  Like doing a union on Login and Password.  It would be best to return the results under something like LoginKey instead of Login.  That way if I do an SQL Injection by using the ever popular Union operator... I know that I am not going to return other data if I print out the contents of the Login results.  This of course would have to be done by the dbs.

The issue with Oracle 9i not allowing you to miss match more than two fields is still strange.  I don't remember what the exact errors where.  This could be a flaw in Oracle... but I have not looked into this.  I wouldn't think it would matter how many differing fields you union on.  But then again... I really haven't look into Oracle to say too much.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ