-
Lateral SQL injection in Oracle
-
David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn't even take user input!
The trick is to apply an ''ALTER SESSION SET NLS_DATE_FORMAT'' command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ''DATE'' (even though it is not).
=== For more information ===
~ Lateral SQL Injection: A New Class of Vulnerability in Oracle
http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf
-
Microsoft Chief Software Architect Ray Ozzie talks open source, mesh
-
Microsoft Chief Software Architect Ray Ozzie says the company has been dramatically changed by open source and the concept of using the Web as a hub. So, here's more to go.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/04/17/Microsofts-Ozzie-talks-open-source-mesh_1.html
http://www.microsoft.com/presspass/exec/ozzie/04-17MVP.mspx