Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Risk of Dangling Cursor Snarfing
        
(Message started by: Pete Finnigan on Dec 4^th, 2006, 1:04pm)

Title: Risk of Dangling Cursor Snarfing
Post by Pete Finnigan on Dec 4^th, 2006, 1:04pm

Hi all,

I found a really interesting blog entry from Stephen Kost about the "Dangling Cursor Snarfing" attack.

http://www.integrigy.com/oracle-security-blog/archive/2006/11/30/oracle-cursor-snarfing-analysis

Personally I agree with Stephen's opinion. What do you think about the risk? Big threat or minor issue?

Regards

Alexander

--

Red-Database-Security GmbH

Title: Re: Risk of Dangling Cursor Snarfing
Post by Pete Finnigan on Dec 4^th, 2006, 8:19pm

Hi Alex

probably a very minor issue as there are likely very few cases that could be exploited as Steve said. The issue could be bigger in third party code than in core Oracle. The fact that you can only manipulate binds means thta even if you find a case that could be exploited its unlikely to be a case where escalation of privileges is possible. Data theft seems to be the biggest risk.

cheers

Pete