[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040930224011.21783.qmail@www.securityfocus.com>
Date: 30 Sep 2004 22:40:11 -0000
From: Brandon Petty <bmpfg8@....edu>
To: bugtraq@...urityfocus.com
Subject: Oracle 9i Union Flaw
A fellow student, here at UMR, has tested the MSAccess 2K/XP Union Flaw on Oracle 9i.
His name is Muthukumar Narayanan: mnmr6@....edu .
He found that Oracle 9i has the same problem as Access... but it is a little different.
He found that you can select up to 2 miss ordered columns for the results to be mixed.
An example:
select login, password from flaw union select password, login from flaw;
select login from flaw union select password from flaw;
It seems that if you do more than 2, it will return an error. Also, in the last case... this is a prime example of something that an SQL Injection attack could really take advantage of. Again, you are asking for the login name... but are returned password data. What happens when a Server Side Script tries to print out all of the login names since it is pointed at the login field? hmmm...
You can contact him for more information on the Oracle 9i issue.
I would also suspect MySQL and Postgresql to have something similar since this seems
to be an issue with more than one database server. This has not been tested.
Note: Oracle has not been contacted. This was brought to my attention 15 minutes ago after we had discussed the flaw I found in Access.
Thanks,
Brandon P.
Powered by blists - more mailing lists