Re: 11g holes

From: DA Morgan <damorgan_at_psoug.org>
Date: Wed, 19 Sep 2007 05:55:09 -0700
Message-ID: <1190206501.428967@bubbleator.drizzle.com>

Shakespeare wrote:

> "Frank van Bortel" <frank.van.bortel_at_gmail.com> schreef in bericht 
> news:fcp3r3$8oc$2_at_news3.zwoll1.ov.home.nl...

>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jerome Vitalis wrote:
>>> For what it's worth:
>>>
>>> http://tinyurl.com/yqpeqz
>> Until Kornbrust reveals what the problems are, it is
>> just hot air.
>> But he (Alexander) usually is correct about security.
>>
>> - --
>> Regards,
>> Frank van Bortel
>>
>> Top-posting is one way to shut me up...
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (MingW32)
>>
>> iD8DBQFG8BKuLw8L4IAs830RAqJUAJ9/PT1iMlWEmk3sXsu2TEIx5Y+dVACginU2
>> 7S8uS37ziTn++5sJRx7ixGU=
>> =OPp1
>> -----END PGP SIGNATURE-----

> 
> SQL injection in Oracle is not new, but it appears some of the holes were 
> not fixed....
> It's not Oracle specific either. Many web-based logins on different database 
> systems allow it. Have seen an example of hacking a site by typing #1=1 and 
> ~~ as a password.... aaargh
> Check out Youtube for "sql injection" and you'll find some nice examples 
> there...
> 
> Shakespeare 

The number of references to DBMS_ASSERT clearly shows that Oracle is working toward improved security with respect to SQL Injection. That there are still some holes is both disappointing and not surprising.

What is surprising to me is that Oracle doesn't pick up the phone, call Pete Finnigan, call Alexander Kornbrust and put them on the payroll with a one-year project to find and stuff every hole they can find. It would be financially rewarding at almost any price.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

Received on Wed Sep 19 2007 - 07:55:09 CDT