Vulnerability Development mailing list archives

Perl / Oracle Vuln. New or Not?

From: Simon Kenton <simon_k () MAILANDNEWS COM>
Date: Tue, 5 Dec 2000 15:12:45 -0500

I came across an interesting bug / vulnerability while testing some web code
for a client.  The system is running Solaris 2.6, Netscape Enterprise Server,
and is using Perl to interface with a Oracle database.  Feeding the web form
about 40,000 characters seems to kill oracle with the following error.


DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR:
OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line
183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD
ERROR: OCIStmtExecute/Describe) at
/usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare
failed: ORA-01704: string literal too long (DBD ERROR:
OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line
183.

If I enter a little more than 80,000 characters either the oracle, or perl
thread dies altogether, and I get a page unreachable error. Has anyone seen
this before?

-Simon

------------------------------
   Simon Kenton
   Folk Hero To The Stars
------------------------------

Current thread:

Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 06)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)
  - Re: Perl / Oracle Vuln. New or Not? Tom Jordan (Dec 09)
- <Possible follow-ups>
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 08)
  - Re: Perl / Oracle Vuln. New or Not? Lincoln Yeoh (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 09)