Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: 11g holes
Shakespeare wrote:
> "DA Morgan" <damorgan_at_psoug.org> schreef in bericht > news:1190227108.298003_at_bubbleator.drizzle.com... >> Shakespeare wrote: >>> "DA Morgan" <damorgan_at_psoug.org> schreef in bericht >>> news:1190206501.428967_at_bubbleator.drizzle.com...
>>>>> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht >>>>> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl... >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> Jerome Vitalis wrote: >>>>>>> For what it's worth: >>>>>>> >>>>>>> http://tinyurl.com/yqpeqz >>>>>> Until Kornbrust reveals what the problems are, it is >>>>>> just hot air. >>>>>> But he (Alexander) usually is correct about security. >>>>>> >>>>>> - -- >>>>>> Regards, >>>>>> Frank van Bortel >>>>>> >>>>>> Top-posting is one way to shut me up... >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> Version: GnuPG v1.4.1 (MingW32) >>>>>> >>>>>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2 >>>>>> 7S8uS37ziTn++5sJRx7ixGU= >>>>>> =OPp1 >>>>>> -----END PGP SIGNATURE----- >>>>> SQL injection in Oracle is not new, but it appears some of the holes >>>>> were not fixed.... >>>>> It's not Oracle specific either. Many web-based logins on different >>>>> database systems allow it. Have seen an example of hacking a site by >>>>> typing #1=1 and ~~ as a password.... aaargh >>>>> Check out Youtube for "sql injection" and you'll find some nice >>>>> examples there... >>>>> >>>>> Shakespeare
>>>>
>>> You might find some interesting things in this presentation: >>> http://www.red-database-security.com/wp/hitb2007_oracle_security.pdf >>> >>> which is the presentation he did sept 5, and hope hackers don't read >>> this. Most of the issues are fixed in Oracle CPU's, but still.... >>> How about changing your login.sql and letting a DBA log in to Oracle on >>> your terminal? And don't say DBAs don't do such things, I know some who >>> would do it... >>> >>> Shakespeare >> For compliance and governance purposes it isn't about "would" it is >> about "could." >> -- >> Daniel A. Morgan >> University of Washington >> damorgan_at_x.washington.edu (replace x with u to respond) >> Puget Sound Oracle Users Group >> www.psoug.org > > Daniel, > > does this mean that with compliance/gov. regulations, DBA's are not allowed > to log in at other peoples PC's? > > Shakespeare
No. It means what they do must be audited and accounted for.
If you can bypass auditing as root or sys you've created an issue that will, in many organizations, violate the law or rules and regs.
A lot of organizations say SarbOx or PIPEDA or whatever doesn't apply to us ... but how many organizations don't take credit cards? Very few. Even hot dogs stands take credit cards. And all those that do signed an agreement to adhere to PCI. https://www.pcisecuritystandards.org/
Can your organization fully comply with these standards? https://www.pcisecuritystandards.org/tech/index.htm
It is a good self-test.
-- Daniel A. Morgan University of Washington damorgan_at_x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.orgReceived on Thu Sep 20 2007 - 17:25:30 CDT