DerScanner
Home / Vulnerability Database / PL or SQL : Dangerous function
PL/SQL

PL or SQL : Dangerous function

Classification

CWE
CWE-242CWE-676
CWE/SANS Top 25 2011
CWE-676

Overview

DBMS_UTILITY.EXEC_DDL_STATEMENT only executes statements defined as part of the Data Definition Language. Other statements are silently ignored, which makes debugging difficult.

The DBMS_XMLGEN package converts the results of a SQL query to a canonical XML format in real-time. An attacker can exploit this package to inject SQL code. Thus, all data, including user credentials can be extracted from the database. Given that this package is extremely dangerous, the need for its use should be carefully scrutinized. If dynamic database queries in XML format are not required, the package should be removed.

References

  1. DBMS_UTILITY - docs.oracle.com
  2. Oracle Security papers - petefinnigan.com
  3. Database Real Application Security Administrator’s and Developer’s Guide - docs.oracle.com
  4. Open Security Research
  5. CWE-242
  6. CWE-676
MEDIUM

DerScanner Severity Score

Do you want to fix PL or SQL : Dangerous function in your application?

See also

PL/SQL

PL or SQL : Open redirect

PL/SQL

PL or SQL : Cross-site scripting (XSS)

PL/SQL

PL or SQL : Weak hashing algorithm