COMMAND

    perl

SYSTEMS AFFECTED

    perl with databases

PROBLEM

    Simon Kenton  found following.   This was  tested on  Solaris  2.6
    running Netscape Enterprise Server, Perl5, and Oracle.   Inputting
    40,001  or  more  characters  into   any  form  field  causes   an
    application error.   Inputting 80,001  or more  characters  causes
    additional errors.

    Output From Web server:

        DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR:
        OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line
        183.
        DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD
        ERROR: OCIStmtExecute/Describe) at
        /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare
        failed: ORA-01704: string literal too long (DBD ERROR:
        OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line
        183.

    When   40,001+ characters,  are entered  into a  textbox field and
    submitted  via  the  form,  the  web server displays the directory
    structure  of  the  server,  the  version  of  Perl  running,  and
    divulges the fact  that Oracle is  installed on the  system.  This
    gives  an  attacker  information  about  a system that only system
    administrators have a legitimate  need to know.   This information
    could help an attacker craft a successful attack against a  server
    with this  vulnerability.   When 80,001+  characters are submitted
    through  the  form,  the  Perl  script  dies,  and  the web server
    displays a ‘page unavailable’  error.  Either of  these conditions
    may  be  causing  a  buffer  overflow  condition  giving a further
    opportunity for an attacker to compromise the server.

    The  HTML  form  linked  to  foo.pl  does  not limit the number of
    character that it passes to the foo.pl.  The Perl script does  not
    limit the size of data it will accept by automatically  truncating
    data input through  the form before  submitting the string  to the
    DBI module,  which does  some sanity  checking of  the SQL  string
    before the  string is  sent to  oracle for  processing.   DBI is a
    module for perl that is used provide connectivity between perl and
    databases (such as Oracle).   This does prevent corruption of  the
    database  as  the  DBIx  module  seems  to  be  dying  while it is
    preparing  the  SQL  statement  before  the statement is passed to
    oracle, which causes  an error in  Perl as opposed  to potentially
    causing an error in Oracle.

    H.D.Moore  saw  a  similar  situation  with  Sybase.  The issue is
    really  that  the  perl  script  exists  when  the database module
    recieves an  unexpected error.   The database  is coming  back and
    saying the  field is  too long,  but the  perl DBD  module doesn't
    know how to  handle it, so  it just exits.   If the actual  Oracle
    server dies, then you may have a serious problem.

SOLUTION

    As a couple of people (on and off the list) have stated it is  the
    job  of  the  perl  programmer  to handle these errors gracefully.
    In this case 'foo.pl' will be fixed so that it no longer  divulges
    this information.