Pavel Stehule wrote:
> see google: lateral sql injection oracle NLS_DATE_FORMAT
>
> I would to like this functionality too - and technically I don't see a
> problem - It's less than 100 lines, but I don't need a new security
> problem. So my proposal is change nothing on this integrated
> functionality and add new custom date type - like cdate that can be
> customized via GUC.
>
> Regards
> Pavel
OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From the way I read this, the exploit relies on
adjustingthe
NLS_DATE_FORMAT to an arbitrary string which is then used for the
attack, To me this is easy to code against, simply lock the date format
right down and ensure that it is always controlled. IMHO I don't see an
Oracle specific attack as a reason why we can't have a generic format.
Surely we can learn from this known vulnerability and get another one up
on Oracle?
Thanks,
--
Mike Fowler
Registered Linux user: 379787
"I could be a genius if I just put my mind to it, and I,
I could do anything, if only I could get 'round to it"
-PULP 'Glory Days'