Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: 11g holes
Shakespeare wrote:
> "DA Morgan" <damorgan_at_psoug.org> schreef in bericht > news:1190206501.428967_at_bubbleator.drizzle.com...
>>> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht >>> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl... >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Jerome Vitalis wrote: >>>>> For what it's worth: >>>>> >>>>> http://tinyurl.com/yqpeqz >>>> Until Kornbrust reveals what the problems are, it is >>>> just hot air. >>>> But he (Alexander) usually is correct about security. >>>> >>>> - -- >>>> Regards, >>>> Frank van Bortel >>>> >>>> Top-posting is one way to shut me up... >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.1 (MingW32) >>>> >>>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2 >>>> 7S8uS37ziTn++5sJRx7ixGU= >>>> =OPp1 >>>> -----END PGP SIGNATURE----- >>> SQL injection in Oracle is not new, but it appears some of the holes were >>> not fixed.... >>> It's not Oracle specific either. Many web-based logins on different >>> database systems allow it. Have seen an example of hacking a site by >>> typing #1=1 and ~~ as a password.... aaargh >>> Check out Youtube for "sql injection" and you'll find some nice examples >>> there... >>> >>> Shakespeare
>>
> > You might find some interesting things in this presentation: > http://www.red-database-security.com/wp/hitb2007_oracle_security.pdf > > which is the presentation he did sept 5, and hope hackers don't read this. > Most of the issues are fixed in Oracle CPU's, but still.... > How about changing your login.sql and letting a DBA log in to Oracle on your > terminal? And don't say DBAs don't do such things, I know some who would do > it... > > Shakespeare
For compliance and governance purposes it isn't about "would" it is about "could."
-- Daniel A. Morgan University of Washington damorgan_at_x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.orgReceived on Wed Sep 19 2007 - 13:38:36 CDT