Vulnerability Development: Re: Perl / Oracle Vuln. New or Not?

[H D Moore <hdm () SECUREAUSTIN COM>]

Hi,

I am seen a similar situation with Sybase.  The issue is really that the perl
script exists when the database module recieves an unexpected error.  The
database is coming back and saying the field is too long, but the perl DBD
module doesn't know how to handle it, so it just exits.  If the actual Oracle
server dies, then you may have a serious problem.

-HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)

On Tuesday 05 December 2000 02:12 pm, Simon Kenton wrote:
> I came across an interesting bug / vulnerability while testing some web
> code for a client.  The system is running Solaris 2.6, Netscape Enterprise
> Server, and is using Perl to interface with a Oracle database.  Feeding the
> web form about 40,000 characters seems to kill oracle with the following
> error.
>
>
> DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD
> ERROR: OCIStmtExecute/Describe) at
> /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db
> prepare failed: ORA-01704: string literal too long (DBD ERROR:
> OCIStmtExecute/Describe) at
> /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db
> prepare failed: ORA-01704: string literal too long (DBD ERROR:
> OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm
> line 183.
>
> If I enter a little more than 80,000 characters either the oracle, or perl
> thread dies altogether, and I get a page unreachable error. Has anyone seen
> this before?