A SQL injection attack that may be executed against the Oracle database was recently documented by database security researcher David Litchfield.
The attack requires that the attacker to have been granted a database account, making it more likely that this kind of attack will occur in the research lab than "in the normal sense," Litchfield said of his finding.
But Oracle's manager for security in its Global Technology Unit, Erich Maurice, Monday said in a blog post that Litchfield's exploit demonstrates how "a lateral SQL injection" attack can be placed by an outsider in a database application using Oracle's extended PL/SQL query language, and developers of database applications should be aware of the potential for such attacks.
SQL injection occurs when an intruder is able to put a SQL statement into a user input form where the application expects a name, address, date, or some other standard information. SQL injection succeeds when there's no validation of the entry. That is, there's no automatic check that the entry follows an expected format or meets length and alphanumeric character limits. Such validation would be able to detect a SQL statement in place of a date and halt execution of the program.
Lateral injection is indirect injection -- putting the PL/SQL statement someplace where the application will find it when it's looking for something else, then successfully directing the application to that statement.
What skills do network managers really need to properly secure industrial networks? What new protocols, frameworks, and regulations are important? And what conferences and certifications can help? Here are five tips to get started.
A full-stack approach to retail edge offers retailers a way to optimize operations and adapt to changes in a post-pandemic world.
Network management tool sprawl is getting in the way of network management. It’s time for IT to do something about it.
