DerScanner
Home / Vulnerability Database / PL or SQL : File system access
PL/SQL

PL or SQL : File system access

Classification

OWASP Top 10 2013
A7-Missing Function Level Access Control
OWASP Top 10 2017
A5-Broken Access Control
OWASP Top 10 2021
A1-Broken Access Control
OWASP ASVS
Files and Resources
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-1033

Overview

The application uses a package for file system management. If the arguments of the function originate from an untrusted source, an adversary can modify tablespace datafiles and control files.

By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

References

  1. Top 10 Oracle Steps to a Secure Oracle Database Server - Chris Stark / opensecurityresearch.com
  2. Steven Feuerstein, Bill Pribyl - Oracle PL/SQL Programming, pp. 876-877
  3. OWASP Top 10 2017-A5-Broken Access Control
LOW

DerScanner Severity Score

Do you want to fix PL or SQL : File system access in your application?

See also

PL/SQL

PL or SQL : Open redirect

PL/SQL

PL or SQL : Cross-site scripting (XSS)

PL/SQL

PL or SQL : Weak hashing algorithm