Vulnerability Development mailing list archives
Re: Oracle Databases Allow HTML/SQL injection
From: Jim Kovalchuk <raxor () dexlink com>
Date: Tue, 16 Apr 2002 11:27:43 -0700 (PDT)
On Tue, 16 Apr 2002, david evlis reign wrote:
# oracle database madness" "I only have a few things to say." - davidr css in the oracle search engine --> http://www.oracle.com/pls/use/use_query_html_v3.submit_query_input?p_adv_query_text=css<br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>&p_origin=www&p_person_id=100582&p_community=oracle.com_v2&p_doc_location_array=Place+Holder&p_doc_location_array=document&p_location_array=&p_keyword_array=100017&p_value_array=www.oracle.com&p_date_begin=q_date&p_date_end=q_date&p_max_return=200 i get fucked up error messages from this: Error generating ctx scoreORA-20000: interMedia Text error: DRG-10800: query failed: DRG-50921: EQUIV operand not a word or another EQUIV expression and now, the oracle db, while my hacking was targetted at sql injection i found this: Error Diagnostic Information ODBC Error Code = S1000 (General error) [INTERSOLV][ODBC Oracle driver][Oracle]ORA-01756: quoted string not properly terminated The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (245:5) to (245:130). Date/Time: Tue Apr 16 17:37:17 2002 Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows 3.1) Remote Address: 64.66.85.22 Template: /content/www/prodn/bigpond/direct/view.cfm Query String: ID='54 <-- HAHAH with the url: http://dsleerf.net/direct/view.cfm?ID='54 now, why i am laughing: http://dsleerf.net/bigpond/direct/view.cfm?ID='54"><br><br><br><br><br><br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>
This looks like an input validation bug in the Cold Fusion code, as i'm quite sure Oracle doesn't use Cold Fusion for their web applications. Macromedia's drag and drop IDE isn't security aware yet.
the oracle database is shit. anyone who uses oracle is shit. long live apple. -davidr _________________________________________________________________ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
Current thread:
- Oracle Databases Allow HTML/SQL injection david evlis reign (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection KF (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection KF (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection Jim Kovalchuk (Apr 16)