In association with heise online

30 June 2006, 08:32

In a security advisory, Alexander Kornbrust has reported on a common programming error in Oracle Reports that allows arbitrary database queries to be injected (SQL injections).

Reports that use what are called "lexical references" are affected. If the expression &paramform=yes is added to the URL of such reports, a new browser window opens up where the SQL query can be changed easily. In the advisory, a number of examples of improper implementations are provided along with proposed solutions to work around this problem.

Kornbrust believes that such reports with lexical references are very popular because they are so powerful.

Also see:

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit