Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> an issue with fixed_date init.ora parameter

an issue with fixed_date init.ora parameter

From: Pete Finnigan <pete_at_peterfinnigan.demon.co.uk>
Date: Mon, 19 Nov 2001 21:21:33 +0000
Message-ID: <Hwcw6nAdfX+7Ew3f@peterfinnigan.demon.co.uk> 





Hi All



I thought I would share a recent issue I found whilst doing an Oracle
security pentest / audit with everyone on this list. This is not a bug
in oracle but a test parameter provided by Oracle that could be used
maliciously.



An application we looked at used the oracle system date SYSDATE quite
extensively in its functionality and calculations. It was possible to
cause mis-calculations in the system by altering an initialisation
parameter.



I have written a short paper describing this if anyone is interested.
Its at http://www.pentest-limited.com/fixed-date.htm.



The point being, if you use SYSDATE in your code then beware of the
parameter fixed_date as it could cause issues and should be protected
from change.



regards,


Pete Finnigan


www.pentest-limited.com


-- 
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan_at_pentest-limited.com

www.pentest-limited.com


Received on Mon Nov 19 2001 - 15:21:33 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US