Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 11g holes

Re: 11g holes

From: Shakespeare <whatsin_at_xs4all.nl>
Date: Wed, 19 Sep 2007 15:36:06 +0200
Message-ID: <46f125ef$0$235$e4fe514c@news.xs4all.nl> 






"DA Morgan" <damorgan_at_psoug.org> schreef in bericht 
news:1190206501.428967_at_bubbleator.drizzle.com...


> Shakespeare wrote:


>> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht 
>> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl...
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Jerome Vitalis wrote:
>>>> For what it's worth:
>>>>
>>>> http://tinyurl.com/yqpeqz
>>> Until Kornbrust reveals what the problems are, it is
>>> just hot air.
>>> But he (Alexander) usually is correct about security.
>>>
>>> - --
>>> Regards,
>>> Frank van Bortel
>>>
>>> Top-posting is one way to shut me up...
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (MingW32)
>>>
>>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2
>>> 7S8uS37ziTn++5sJRx7ixGU=
>>> =OPp1
>>> -----END PGP SIGNATURE-----
>>
>> SQL injection in Oracle is not new, but it appears some of the holes were 
>> not fixed....
>> It's not Oracle specific either. Many web-based logins on different 
>> database systems allow it. Have seen an example of hacking a site by 
>> typing #1=1 and ~~ as a password.... aaargh
>> Check out Youtube for "sql injection" and you'll find some nice examples 
>> there...
>>
>> Shakespeare
>




> The number of references to DBMS_ASSERT clearly shows that Oracle

> is working toward improved security with respect to SQL Injection.

> That there are still some holes is both disappointing and not

> surprising.


>




> What is surprising to me is that Oracle doesn't pick up the phone,

> call Pete Finnigan, call Alexander Kornbrust and put them on the

> payroll with a one-year project to find and stuff every hole they

> can find. It would be financially rewarding at almost any price.

> -- 

> Daniel A. Morgan

> University of Washington

> damorgan_at_x.washington.edu (replace x with u to respond)

> Puget Sound Oracle Users Group

> www.psoug.org




You might find some interesting things in this presentation:
http://www.red-database-security.com/wp/hitb2007_oracle_security.pdf



which is the presentation he did sept 5, and hope hackers don't read this. 
Most of the issues are fixed in Oracle CPU's, but still....
How about changing your login.sql and letting a DBA log in to Oracle on your 
terminal? And don't say DBAs don't do such things, I know some who would do 
it...



Shakespeare 
Received on Wed Sep 19 2007 - 08:36:06 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US