2010/5/19 Mike Fowler <mike@mlfowler.com>:
> Pavel Stehule wrote:
>>
>> see google: lateral sql injection oracle NLS_DATE_FORMAT
>>
>> I would to like this functionality too - and technically I don't see a
>> problem - It's less than 100 lines, but I don't need a new security
>> problem. So my proposal is change nothing on this integrated
>> functionality and add new custom date type - like cdate that can be
>> customized via GUC.
>>
>> Regards
>> Pavel
>
> OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From
> the way I read this, the exploit relies on adjusting the NLS_DATE_FORMAT to
> an arbitrary string which is then used for the attack, To me this is easy to
> code against, simply lock the date format right down and ensure that it is
> always controlled. IMHO I don't see an Oracle specific attack as a reason
> why we can't have a generic format. Surely we can learn from this known
> vulnerability and get another one up on Oracle?
I am not a security expert - you can simply don't allow apostrophe,
double quotes - but I am not sure, if this can be safe - simply - I am
abe to write this patch, but I am not able to ensure security.
Regards
Pavel
>
> Thanks,
>
> --
> Mike Fowler
> Registered Linux user: 379787
>
> "I could be a genius if I just put my mind to it, and I,
> I could do anything, if only I could get 'round to it"
> -PULP 'Glory Days'
>
>