Dangling Database Cursor ('Cursor Injection')
Weakness ID: 619 (Weakness Base)Status: Incomplete
+ Description

Description Summary

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."

Extended Description

For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

SQL

+ Modes of Introduction

This issue is currently reported for unhandled exceptions, but it is theoretically possible any time the programmer does not close the cursor at the proper time.

+ Potential Mitigations

Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.

+ Background Details

A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries.

+ Weakness Ordinalities
OrdinalityDescription
Primary

This could be primary when the programmer never attempts to close the cursor when finished with it.

Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class402Transmission of Private Resources into a New Sphere ('Resource Leak')
Development Concepts699
Research Concepts1000
ChildOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfCategoryCategory265Privilege / Sandbox Issues
Research Concepts1000
PeerOfCategoryCategory388Error Handling
Research Concepts1000
+ References
David Litchfield. "The Oracle Hacker's Handbook".
David Litchfield. "Cursor Injection". <http://www.databasesecurity.com/dbsec/cursor-injection.pdf>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes
2008-10-14CWE Content TeamMITREInternal
updated Background Details, Description, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Modes of Introduction, Other Notes, Weakness Ordinalities
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Dangling Database Cursor (Cursor Injection)
2009-05-27Dangling Database Cursor (aka 'Cursor Injection')
Back to top