lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040930224011.21783.qmail@www.securityfocus.com>
Date: 30 Sep 2004 22:40:11 -0000
From: Brandon Petty <bmpfg8@....edu>
To: bugtraq@...urityfocus.com
Subject: Oracle 9i Union Flaw




A fellow student, here at UMR, has tested the MSAccess 2K/XP Union Flaw on Oracle 9i.
His name is Muthukumar Narayanan: mnmr6@....edu .

He found that Oracle 9i has the same problem as Access... but it is a little different.
He found that you can select up to 2 miss ordered columns for the results to be mixed.

An example:

  select login, password from flaw union select password, login from flaw;
  select login from flaw union select password from flaw;

It seems that if you do more than 2, it will return an error.  Also, in the last case... this is a prime example of something that an SQL Injection attack could really take advantage of.  Again, you are asking for the login name... but are returned password data.  What happens when a Server Side Script tries to print out all of the login names since it is pointed at the login field? hmmm...

You can contact him for more information on the Oracle 9i issue.

I would also suspect MySQL and Postgresql to have something similar since this seems
to be an issue with more than one database server.  This has not been tested.

Note: Oracle has not been contacted.  This was brought to my attention 15 minutes ago after we had discussed the flaw I found in Access.

Thanks,
Brandon P.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ