Kommentare zu: Best (insecure) Practice PL/SQL on OTN http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/ Sat, 22 Nov 2008 07:54:36 +0000 http://wordpress.org/?v=2.2.1 Von: Steven Feuerstein http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/#comment-667 Steven Feuerstein Sat, 01 Sep 2007 08:06:50 +0000 http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/#comment-667 Alexander, Thanks so much for raising this concern about the code example. It does, indeed, contain a SQL injection vulnerability. I believe that it would actually be quite difficult to "bullet proof" this piece of code, given the generality of its desired functionality. I also expect that if anyone actually used it, its usage would be buried so deep inside an application that the possibility of external, malicious inputs to the program would be minuscule. Minuscule is not, however, good enough when a person is sufficiently (and rightly) concerned about the security of their system. Rather than come up with a new implementation of this program which would be secure from SQL injection, I have decided to remove the code sample from the OTN page. Congratulations for making the Oracle PL/SQL world just a tiny bit safer for everyone! Steven Feuerstein Alexander,

Thanks so much for raising this concern about the code example. It does, indeed, contain a SQL injection vulnerability. I believe that it would actually be quite difficult to “bullet proof” this piece of code, given the generality of its desired functionality. I also expect that if anyone actually used it, its usage would be buried so deep inside an application that the possibility of external, malicious inputs to the program would be minuscule.

Minuscule is not, however, good enough when a person is sufficiently (and rightly) concerned about the security of their system.

Rather than come up with a new implementation of this program which would be secure from SQL injection, I have decided to remove the code sample from the OTN page.

Congratulations for making the Oracle PL/SQL world just a tiny bit safer for everyone!

Steven Feuerstein

]]> Von: Alexander Kornbrust http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/#comment-99 Alexander Kornbrust Wed, 01 Aug 2007 08:10:08 +0000 http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/#comment-99 Patrick it's true that the secure version would be much better. But I have only limited resources and for a secure version it is necessary to understand the code completely which can take some time. It's typical for a source code audit to find vulnerable code but not to provide fixes. The developers are responsible for fixing the problems. In the case of the package str2list you should restrict the parameter showproc or pkg, e.g. allowing only some special values (e.g. if pkg not in ('MYPACK1','MYPACK2','ORDER'). Alex Patrick

it’s true that the secure version would be much better.

But I have only limited resources and for a secure version it is necessary to understand the code completely which can take some time. It’s typical for a source code audit to find vulnerable code but not to provide fixes. The developers are responsible for fixing the problems.

In the case of the package str2list you should restrict the parameter showproc or pkg, e.g. allowing only some special values (e.g. if pkg not in (’MYPACK1′,’MYPACK2′,’ORDER’).

Alex

]]> Von: Patrick Wolf http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/#comment-96 Patrick Wolf Wed, 01 Aug 2007 07:35:33 +0000 http://blog.red-database-security.com/2007/07/31/best-insecure-practice-plsql-on-otn/#comment-96 Just pointing on someone else code and say it's not secure is also just the half side of the truth. It would be much better to show the secure version, so that we can learn how it should look like and how we should write our code. Thanks Patrick Just pointing on someone else code and say it’s not secure is also just the half side of the truth. It would be much better to show the secure version, so that we can learn how it should look like and how we should write our code.

Thanks
Patrick

]]>