CyberInsecure.com

Daily cyber threats and internet security news alerts
April 25th, 2008

New Lateral SQL Injection Method To Hack Oracle Database

A new type of attack that could give a hacker access to an Oracle database, called a lateral SQL injection, could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software.

Security researcher David Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on last Thursday he published a paper with technical details. Litchfield’s attack targets the Procedural Language/SQL programming language used by Oracle developers.

In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.

Litchfield wasn’t sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios. “If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code,” he said. “The sky is not falling … but it’s certainly something that people should be made aware of.”

Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands.

Oracle did not comment on this issue.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • del.icio.us
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • Facebook
  • LinkedIn
More on CyberInsecure:
  • Oracle Patches Critical Database Vulnerabilities
  • Phishing Botnet Expands By SQL Injecting Websites Found In Google
  • WordPress Multiple SQL Injection Vulnerabilities
  • Oklahoma Department Of Corrections Website Exposed Sex Offenders Data
  • Nine Out Of Ten Websites Are Vulnerable To Attack

    • Posted in Vulnerabilities | Print This Post Print This Post

    This entry was posted on Friday, April 25th, 2008 at 8:18 am and is filed under Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Lateral SQL Injection Method To Hack Oracle Database

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « « Southern Connecticut State University Warns Of Data Breach After Web Defacement
    34000 Of Customers Bank Details On Stolen Boots Backup Tape » »