Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 11g holes

Re: 11g holes

From: Shakespeare <whatsin_at_xs4all.nl>
Date: Thu, 20 Sep 2007 17:06:02 +0200
Message-ID: <46f28c5b$0$232$e4fe514c@news.xs4all.nl>

"DA Morgan" <damorgan_at_psoug.org> schreef in bericht news:1190227108.298003_at_bubbleator.drizzle.com...

> Shakespeare wrote:
>> "DA Morgan" <damorgan_at_psoug.org> schreef in bericht 
>> news:1190206501.428967_at_bubbleator.drizzle.com...

>>> Shakespeare wrote:
>>>> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht 
>>>> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl...
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Jerome Vitalis wrote:
>>>>>> For what it's worth:
>>>>>>
>>>>>> http://tinyurl.com/yqpeqz
>>>>> Until Kornbrust reveals what the problems are, it is
>>>>> just hot air.
>>>>> But he (Alexander) usually is correct about security.
>>>>>
>>>>> - --
>>>>> Regards,
>>>>> Frank van Bortel
>>>>>
>>>>> Top-posting is one way to shut me up...
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.1 (MingW32)
>>>>>
>>>>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2
>>>>> 7S8uS37ziTn++5sJRx7ixGU=
>>>>> =OPp1
>>>>> -----END PGP SIGNATURE-----
>>>> SQL injection in Oracle is not new, but it appears some of the holes 
>>>> were not fixed....
>>>> It's not Oracle specific either. Many web-based logins on different 
>>>> database systems allow it. Have seen an example of hacking a site by 
>>>> typing #1=1 and ~~ as a password.... aaargh
>>>> Check out Youtube for "sql injection" and you'll find some nice 
>>>> examples there...
>>>>
>>>> Shakespeare

>>> The number of references to DBMS_ASSERT clearly shows that Oracle
>>> is working toward improved security with respect to SQL Injection.
>>> That there are still some holes is both disappointing and not
>>> surprising.
>>>

>>> What is surprising to me is that Oracle doesn't pick up the phone,
>>> call Pete Finnigan, call Alexander Kornbrust and put them on the
>>> payroll with a one-year project to find and stuff every hole they
>>> can find. It would be financially rewarding at almost any price.
>>> --
>>> Daniel A. Morgan
>>> University of Washington
>>> damorgan_at_x.washington.edu (replace x with u to respond)
>>> Puget Sound Oracle Users Group
>>> www.psoug.org
>>
>> You might find some interesting things in this presentation:
>> http://www.red-database-security.com/wp/hitb2007_oracle_security.pdf
>>
>> which is the presentation he did sept 5, and hope hackers don't read 
>> this. Most of the issues are fixed in Oracle CPU's, but still....
>> How about changing your login.sql and letting a DBA log in to Oracle on 
>> your terminal? And don't say DBAs don't do such things, I know some who 
>> would do it...
>>
>> Shakespeare
>
> For compliance and governance purposes it isn't about "would" it is
> about "could."
> -- 
> Daniel A. Morgan
> University of Washington
> damorgan_at_x.washington.edu (replace x with u to respond)
> Puget Sound Oracle Users Group
> www.psoug.org

Daniel,

does this mean that with compliance/gov. regulations, DBA's are not allowed to log in at other peoples PC's?

Shakespeare Received on Thu Sep 20 2007 - 10:06:02 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US