Vulnerability Development mailing list archives
Re: Perl / Oracle Vuln. New or Not?
From: Simon Kenton <simon_k () MAILANDNEWS COM>
Date: Thu, 7 Dec 2000 18:52:38 -0500
Thanks for all of the responses. I am trying to compile some of the information I received before submitting some information to the people working on the Perl DBI / DBD modules. Let me know if it sounds reasonable. I am also including a quote from a response I recieved from Ian Stoba which was very informative. --------------- System: Solaris 2.6 running Netscape Enterprise Server, Perl5, and Oracle. Symptoms: Inputting 40,001 or more characters into any form field causes an application error. Inputting 80,001 or more characters causes additional errors. Output From Web server: DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. Impact: When 40,001+ characters, are entered into a textbox field and submitted via the form, the web server displays the directory structure of the server, the version of Perl running, and divulges the fact that Oracle is installed on the system. This gives an attacker information about a system that only system administrators have a legitimate need to know. This information could help an attacker craft a successful attack against a server with this vulnerability. When 80,001+ characters are submitted through the form, the Perl script dies, and the web server displays a page unavailable error. Either of these conditions may be causing a buffer overflow condition giving a further opportunity for an attacker to compromise the server. Cause: The HTML form linked to foo.pl does not limit the number of character that it passes to the foo.pl. The Perl script does not does not limit the size of data it will accept by automatically truncating data input through the form before submitting the string to the DBI module, which does some sanity checking of the SQL string before the string is sent to oracle for processing. DBI is a module for perl that is used provide connectivity between perl and databases (such as Oracle). This does prevent corruption of the database as the DBIx module seems to be dying while it is preparing the SQL statement before the statement is passed to oracle, which causes an error in Perl as opposed to potentially causing an error in Oracle. ------------------------------
===== Original Message From Ian Stoba <ian () babcockbrown com> ===== You may be inundated with responses already, so I apologize if this isredundant.Based on the error message, it appears that the perl script is using the
very
popular DBI kit to connect to Oracle. The way DBI works (with its database specific DBD drivers) is that SQL statements are first prepared (i.e.
sanity
checked and preprocessed) and then executed. The good news, if there is any, is that the error is thrown *before* anyattemptis made to send data to the Oracle database. This means that the bufferoverrun(if that is what it is) should affect only the perl process and not theOracleapplication or the database integrity. You might want to bring this up with the maintainers of DBI: http://www.symbolstone.org/technology/perl/DBI I hope this is useful for you, --Ian
------------------------------ Simon Kenton Folk Hero To The Stars ------------------------------
Current thread:
- Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 06)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)
- Re: Perl / Oracle Vuln. New or Not? Tom Jordan (Dec 09)
- <Possible follow-ups>
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 08)
- Re: Perl / Oracle Vuln. New or Not? Lincoln Yeoh (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)