I saw that David had released his paper "Lateral SQL Injection: A new class of vulnerability in Oracle" last week. I saw this paper in February when David kindly let me have a read of it in advance of publication.
I have to say I am with David in terms of his comments released yersterday in a post on his blog. This is a new class of vulnerability and its certainly not second order SQL Injection as no data is stored to be executed. I have to say its close to it in terms of principal as the attack payload is set up first but its different as the session is modified to add the payload as a date format. I am also with David, this is not mostly academic (Eric Maurice in his blog also agrees), there is a real threat, as there are a number of issues:
1) It's a new way to inject via dates and numbers
2) Just because dynamic code appears to not have an attack vector doesn't mean that it cannot be attacked.
3) Any principal that says a concat or double vertical bar is safe because the data is not passed in as a parameter or read from the database is flawed.
There are likely to be more methods come to light as time passes. Any concatenated string used as SQL, DDL, PL/SQL is potentially dangerous.
I am on my way to Edinburgh to speak at the OUG Scotland DBA SIG in Edinburgh to speak on the subject of Oracle Forensics. I have some updates to make to the front page of my site in terms of speaking engagements which i will get to soon but for now, I have agreed to speak in Iceland in September and also the UKOUG Northen Server technology day in June and also the management and infrastructure SIG of the UKOUG also in June.
I am also working with a number of companies to provide public training days for my two day course "How to perform an Oracle database security audit". More details in the next few days but as a summary there will be an event in London in June, July and also potentially in August or September. I will also deliver the training in Holland, Germany, Sweden and Norway in November and December. I am also delivering the course to a growing number of private companies on their own sites over the next 6 months. As I said I will put up actual dates and a detailed agenda in the next few days here on the blog and also on the training course page itself.