What an error message reveals

A while ago I was on a web site where I was using the site’s search engine, when I accidentally entered a quote after my search term and hit enter in a reflex (I swear I didn’t want to test their site on SQL Injection on purpose). But nevertheless this is what I got:

As you can see the error that returned gives you a SQL statement. While they probably put it there to make it easier to solve possible problems, it gives us quite an insight in their system. Actually I think it’s a bit too much insight for comfort, if I were them.

The fact that the site shows the SQL statement that went wrong already is a great risk. Why? I’ll tell you why: SQL Injection. Normally it’s the hackers job to find out what SQL you are running and to try to misuse it. Maybe add the records from other tables or data dictionary views to the result on the page. Perhaps change data or alter or drop an object. You’re not supposed to make it this easy.

But this error message actually tells much more. To name a few things:

  • The ORA-00911 error shows that the database is an Oracle database.
  • Apparently OraOLEDB is used to communicate with the database. Possibly from the web/application server. Also OraOLEDB might point to certain programming languages used. Dot.net maybe?
  • The select statement tells you about how objects, like tables and views, are named.
  • One of the table names begins with “mv_”. Chances are it’s a materialized view. Chances are there is a database link to the source database. That link isn’t necessary but it’s not uncommon that DBA’s put one there for maintenance.
  • The “contains” function is part of the Oracle Text option. Hackers might want to try some exploits in older versions of Oracle Text.

So as you can see one error message like this one can reveal a lot of pieces in the puzzle that hackers are looking for. Because that’s what they do. They collect information before (or while) they hack you.

I’ve notified the owners of the web site that they have a problem in December 2009, but today I checked the site and this revealing error still appears. Possibly they wait until they are hacked first, or until I remind them once more that this is a big security risk.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s