[Previous entry: "Dump"] [Next entry: "Oracle is finally listening to customers about fix times and security patch quality"]
Doug has posted an intersting note about executing of SQL script from URL's
January 12th, 2006 by Pete
Post to del.icio.us
Post to Furl
I saw Dougs post tonight titled "Something Else I Didn't Know" that talks about the fact that SQL scripts can be executed not just from scripts on the file system but also from URL's. I was aware of this feature and the fact that it is not well known. This feature is a security risk as it means that cross site scripting could be possible against a database using SQL. It could also be possible to use dns spoofing to trick an existing set up that uses SQL*Plus with URL located files to execute other files. I can also conceive of ways that a hacker could get access to SQL*Plus on the server remotely and get it to run an external script located on his own site. This is in cases where the database is behind a firewall and not normally accessible to users who wish to run SQL*Plus.
Think carefully about using this feature and its implications.
