Oracle SQL Injection vulnerability

Hi Group,

I'm doing a penetration test for a client on their web
portal. When I give ' on the username field I was
received with an error from the server:

Unspecified error
ORA-01756: quoted string not properly terminated

Does that mean the site is vulnerable to SQL
Injection? I tried ' OR 1=1-- and ' OR '1'='1'-- but I
get same error message.

Any help would be much appreciated.

Clone


Meet people who discuss and share your passions. Go to http://in.promos.yahoo.com/groups


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Full Disclosure of Security Vulnerabilities
    ... I want to thank every one for there comments, I'm going to allow my client to deal with the security issue and wither to make it public. ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Re: Full Disclosure of Security Vulnerabilities
    ... I have always treated this as "belongs to the client". ... and you can be out of future contention for contracts. ... I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit. ... Cenzic finds more, "real" vulnerabilities fast. ...
    (Pen-Test)