Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Interesting MetaLink notice

Re: Interesting MetaLink notice

From: Jared Still <jkstill_at_gmail.com>
Date: Sun, 5 Feb 2006 10:17:26 -0800
Message-ID: <bf46380602051017u7c89699arfe1674814dc691c2@mail.gmail.com>


On 2/4/06, Mladen Gogala <gogala_at_sbcglobal.net> wrote:
>
>
> On 02/04/2006 08:20:41 PM, Jared Still wrote:
> > https://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=1696291.993
>
> Are you referring to Oracle's reaction to David Litchfield's findings?
> --
> Mladen Gogala
> http://www.mgogala.com
>
>

Yes. I see the text is available now.

It seemed very interesting as Litchfield has grown increasingly frustrated with Oracle regarding the patching of serious security holes.

Oracle's response to this is rather more candid that what is usually seen, and seems to indicate Oracle's increasing frustration with Litchfield.

Questions that arise from this, and have certainly arisen a number of times previously to this:

Litchfield released a workaround for this hole, but it has not had the extensive
testing that Oracle must do before releasing a workaround to be applied to http.conf.

From bugtraq:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

A reply to Litchfields post on bugtraq stated that this workaround breaks HTMLDB. ( excuse me: Oracle Application Express )

Oracle states that this will also break eBusiness Suite.

The state of Oracle security has been somewhat questionable as of late.

Some of Litchfield's frustration is understandable, as some flaws in Oracle have
been uncorrected for literally years after they were notified of the problems.

Frustration on the part of the lowly DBA increases as well.

Here we are, applying non trivial patches (which sometimes need to be done twice if you are an unfortunate early adopter), knowing full well that there are known issues that are not addressed by the patch.

Even those problems that are addressed by security problems are not always corrected, requiring only a small change in the exploit to get around the security 'fix'.

So, while Oracle and the researchers duke it out, the DBA's and other customers of Oracle are caught in the middle.

Gotta go now, breakfast is ready. :)

--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
http://www.freelists.org/webpage/oracle-l
Received on Sun Feb 05 2006 - 12:17:26 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US