Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: 11g holes
"DA Morgan" <damorgan_at_psoug.org> schreef in bericht
news:1190206501.428967_at_bubbleator.drizzle.com...
> Shakespeare wrote:
>> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht >> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl... >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Jerome Vitalis wrote: >>>> For what it's worth: >>>> >>>> http://tinyurl.com/yqpeqz >>> Until Kornbrust reveals what the problems are, it is >>> just hot air. >>> But he (Alexander) usually is correct about security. >>> >>> - -- >>> Regards, >>> Frank van Bortel >>> >>> Top-posting is one way to shut me up... >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.1 (MingW32) >>> >>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2 >>> 7S8uS37ziTn++5sJRx7ixGU= >>> =OPp1 >>> -----END PGP SIGNATURE----- >> >> SQL injection in Oracle is not new, but it appears some of the holes were >> not fixed.... >> It's not Oracle specific either. Many web-based logins on different >> database systems allow it. Have seen an example of hacking a site by >> typing #1=1 and ~~ as a password.... aaargh >> Check out Youtube for "sql injection" and you'll find some nice examples >> there... >> >> Shakespeare >
>
You might find some interesting things in this presentation: http://www.red-database-security.com/wp/hitb2007_oracle_security.pdf
which is the presentation he did sept 5, and hope hackers don't read this. Most of the issues are fixed in Oracle CPU's, but still.... How about changing your login.sql and letting a DBA log in to Oracle on your terminal? And don't say DBAs don't do such things, I know some who would do it...
Shakespeare Received on Wed Sep 19 2007 - 08:36:06 CDT