WebApp Sec mailing list archives
Re: Oracle SQL Injection on orasso reveals ALL_USERS
From: Michael Alipio <daem0nb0y () yahoo com>
Date: Wed, 3 Oct 2007 00:51:46 -0700 (PDT)
Hi, This is my first time doing a web application assessment. I was reading reading an article about Oracle assessment in OWASP and tried one of their examples. To my surprise, by typing the URL below on my web browser, revealed all the information about ALL_USERS. I wonder what I can do with this finding? Maybe you can point me to the proper mailing list.. http://login.server.com/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(;1);--=SELECT+* +FROM+ALL_USERS Thanks ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional XSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405 -------------------------------------------------------------------------
Current thread:
- Re: Oracle SQL Injection on orasso reveals ALL_USERS Michael Alipio (Oct 04)