Monday, January 11, 2010

Magic Quotes

In the course of the last penetration testing, I had an occasion to work with the following web application architecture:

I guess you will ask me, what’s wrong here?

The problem is that Oracle is not MySQL, and it simply doesn’t "know" about any shielding in the form of backlashes :) Oracle doesn’t consider the concept of shielding at all, because it’s a serious DBMS:

It should be mentioned that we have met a lot of Oracle DBMSs during the last penetration testing, and most of them contained the described vulnerability, i.e. they had a universal login "'or(1)=(1)--" (aka SQL Injection).

A similar feature of interpretation of a backslash ("\") as an independent symbol is characteristic for Microsoft SQL Server, too:

For the Sybase database, we have:

Thus, it is necessary to take such features of DBMSs into account in the course of programming and porting your applications to various databases to avoid problems relating to SQL Injection.

Comment: this topic was described by Bernardo Damele [1,2] in his blog one year ago, but the practice shows that the problem is still urgent.