Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> an issue with fixed_date init.ora parameter
Hi All
I thought I would share a recent issue I found whilst doing an Oracle security pentest / audit with everyone on this list. This is not a bug in oracle but a test parameter provided by Oracle that could be used maliciously.
An application we looked at used the oracle system date SYSDATE quite extensively in its functionality and calculations. It was possible to cause mis-calculations in the system by altering an initialisation parameter.
I have written a short paper describing this if anyone is interested. Its at http://www.pentest-limited.com/fixed-date.htm.
The point being, if you use SYSDATE in your code then beware of the parameter fixed_date as it could cause issues and should be protected from change.
regards,
Pete Finnigan
www.pentest-limited.com
-- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan_at_pentest-limited.com www.pentest-limited.comReceived on Mon Nov 19 2001 - 15:21:33 CST