Feb 3, 2006

Full Disclosure: Oracle PLSQL Gateway Flaw!

This is a very interesting post by David Litchfield:
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0007.html

 

The reason it makes such interesting reading is not because it bashes Oracle (which it does!), but because of what this illustrates about practicing secure coding techniques:

 

1. URL encoding hack: "Handling files incorrectly"(Not reducing file / URL / path names to canonical representation before processing)

 

2. "SYS" in double quotes and <Label> hack: "Mixing Code and Data"

 

3. Depending on just a forbidden list and not having a second check: "Defense in Depth" violation

 

4. The "Forbidden" list: "Looking for bad data." You cannot know all the bad data in the world, but you know what data is good. Solid code looks for good data and rejects everything else. This is what Litchfield means by having a white list - simpler and far more robust!

 

5. Not blocking access to packages owned by DBA accounts: "Principle of Least Privilege" violation.


Not to mention that 1, 2 and 4 are input trust issues. Something which is like the first lesson in secure coding!


Come on Oracle, get a copy of "Writing Secure Code" and read it thru!!