Lateral SQL injection is a sweet new attack vector against Oracle first written on by David Lichfield in his paper released on the 27 of February, 2008. In it he details how to perform SQL injection in unusual data types in the Oracle RDBMS. This attack vector is especially nifty when used on SQL statements which do not have parameters, thus typically precluding them from being audited.
While the paper goes on to describe the technical nuances required to pull off a lateral SQL attack, it does not go in-depth in describing potential consequences. Lateral SQL injection effects every instance of Oracle, including its most recent release. Companies who do fail to audit ALL of their SQL could potentially be vulnerable, which is a serious risk, especially considering the attack takes advantage of a core function of the Oracle RDBMS. While Oracle's past release's have had their own issues (for instance, http://tinyurl.com/cxfa3r), lateral SQL injection cannot be patched. It is up to Oracle to inform customers about the issue, and work with them to update client SQL statements and validate ALL code to prevent this vulnerability.
WTF?!
ReplyDelete