Shakespeare wrote:
> "DA Morgan" <damorgan_at_psoug.org> schreef in bericht
> news:1190206501.428967_at_bubbleator.drizzle.com...
>> Shakespeare wrote:
>>> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht
>>> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl...
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Jerome Vitalis wrote:
>>>>> For what it's worth:
>>>>>
>>>>> http://tinyurl.com/yqpeqz
>>>> Until Kornbrust reveals what the problems are, it is
>>>> just hot air.
>>>> But he (Alexander) usually is correct about security.
>>>>
>>>> - --
>>>> Regards,
>>>> Frank van Bortel
>>>>
>>>> Top-posting is one way to shut me up...
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.1 (MingW32)
>>>>
>>>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2
>>>> 7S8uS37ziTn++5sJRx7ixGU=
>>>> =OPp1
>>>> -----END PGP SIGNATURE-----
>>> SQL injection in Oracle is not new, but it appears some of the holes were
>>> not fixed....
>>> It's not Oracle specific either. Many web-based logins on different
>>> database systems allow it. Have seen an example of hacking a site by
>>> typing #1=1 and ~~ as a password.... aaargh
>>> Check out Youtube for "sql injection" and you'll find some nice examples
>>> there...
>>>
>>> Shakespeare
>> The number of references to DBMS_ASSERT clearly shows that Oracle
>> is working toward improved security with respect to SQL Injection.
>> That there are still some holes is both disappointing and not
>> surprising.
>>
>> What is surprising to me is that Oracle doesn't pick up the phone,
>> call Pete Finnigan, call Alexander Kornbrust and put them on the
>> payroll with a one-year project to find and stuff every hole they
>> can find. It would be financially rewarding at almost any price.
>> --
>> Daniel A. Morgan
>> University of Washington
>> damorgan_at_x.washington.edu (replace x with u to respond)
>> Puget Sound Oracle Users Group
>> www.psoug.org
>
> You might find some interesting things in this presentation:
> http://www.red-database-security.com/wp/hitb2007_oracle_security.pdf
>
> which is the presentation he did sept 5, and hope hackers don't read this.
> Most of the issues are fixed in Oracle CPU's, but still....
> How about changing your login.sql and letting a DBA log in to Oracle on your
> terminal? And don't say DBAs don't do such things, I know some who would do
> it...
>
> Shakespeare
For compliance and governance purposes it isn't about "would" it is
about "could."
--
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org
Received on Wed Sep 19 2007 - 13:38:36 CDT
