Vulnerability Development mailing list archives
Re: Perl / Oracle Vuln. New or Not?
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 5 Dec 2000 17:04:24 -0600
Hi, I am seen a similar situation with Sybase. The issue is really that the perl script exists when the database module recieves an unexpected error. The database is coming back and saying the field is too long, but the perl DBD module doesn't know how to handle it, so it just exits. If the actual Oracle server dies, then you may have a serious problem. -HD http://www.digitaldefense.net (work) http://www.digitaloffense.net (play) On Tuesday 05 December 2000 02:12 pm, Simon Kenton wrote:
I came across an interesting bug / vulnerability while testing some web code for a client. The system is running Solaris 2.6, Netscape Enterprise Server, and is using Perl to interface with a Oracle database. Feeding the web form about 40,000 characters seems to kill oracle with the following error. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR: OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. If I enter a little more than 80,000 characters either the oracle, or perl thread dies altogether, and I get a page unreachable error. Has anyone seen this before?
Current thread:
- Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 06)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)
- Re: Perl / Oracle Vuln. New or Not? Tom Jordan (Dec 09)
- <Possible follow-ups>
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 08)
- Re: Perl / Oracle Vuln. New or Not? Lincoln Yeoh (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? Simon Kenton (Dec 09)
- Re: Perl / Oracle Vuln. New or Not? H D Moore (Dec 07)