Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole

Re: Oracle 9i DB Security Hole

From: Nuno Souto <nsouto_at_optushome.com.au.nospam>
Date: Sat, 20 Apr 2002 00:35:33 +1000
Message-ID: <3cc02c19$0$15478$afc38c87@news.optusnet.com.au> 





In article <1019221583.21218.0.nnrp-01.9e984b29_at_news.demon.co.uk>, you 
said (and I quote):


> 

> Funnily enough, the DBF 2002 Forum in Sydney

> includes a session

>     "How to test"

> by that  <quote> respected Oracle consultant

> Jonathan Lewis <end quote>.





BTW, just got confirmation from the boss for the forum.  Hope you folks  
are still doing it?




> - - IF I think there may be a vague chance of a

> significant performance issue.





Yeah, but you're looking for breaking the stuff on the 
performance/volume/limits side.  That is an entirely different frame of 
mind from the security folks.  These are supposed to go through 
functionality, not performance. 




> Who, after all, is going to say things like:

>     Does an inline view result in access violation

>     Does explicit partition naming result in access violation

>     Does a cross join result in access violation

>     Does subquery unnesting result in access violation

>     Does flashback query result in access violation

>         (Hm! I hadn't thought of that one before - I wonder ..)

>     Does common subexpression elimination result in access violation





Hehehe!   I'll bet a few of those would cark as is.  I can think of a few 
more.  Been hitting quite a few problems with nulls in cast and object  
extensions.  Like columns that should be null showing values.  And Vicky-
-versa.  Some are on the bug list fixed in 9.0.1.3.  Wouldn't surprise 
me if there were a few problems with security in these ones too.  Don't 
have the time to test at the moment but I'm sure someone else in the 
project I'm in will do.  




> 

> Of course, it is still worth asking how a security testing organisation

> can know much more than the average specialist about Oracle and

> what is possible from day one.  How do you test a brand new product

> when the designers and coders don't even know what all the features

> can do when they are put together.

> 




Well that's the whole thing isn't it?  The bug was apparently noted 
earlier on, but nobody cared to look into it.  Until it went "bang" in 
the face of someone who cared.  I'd have expected the external "testing" 
organizations to at least check the bug database, if nothing else...



-- 
Cheers
Nuno Souto
nsouto_at_optushome.com.au.nospam


Received on Fri Apr 19 2002 - 09:35:33 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US