Posts Tagged ‘Security’

New Oracle Security Videos and Blog

Alexander Kornbrust of Red-Database-Security has started a new Oracle security blog (just added to OraNa.info). He also posted new Oracle security videos, 10 as of today.

5 Recent Oracle Security Related Documents

Oracle Applications 11i Encrypted Password String Disclosure (PDF): An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications’ user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user’s password or the Oracle […]

Oracle Database Listener Security Guide

Integrigy has just published an updated version of the white paper on the Oracle database listener security.

From the introduction:

The Oracle Database Listener is the database server software component that manages the network traffic between the Oracle Database and the client. The Oracle Database Listener listens on a specific network port (default 1521) and […]

Indirect Privilege Escalation And Defeating Virtual Private Databases

David Litchfield has just published two chapters from his book The Oracle Hacker’s Handbook: Hacking and Defending Oracle.

Indirect Privilege Escalation (PDF)

In this chapter, David gives two examples, one with CREATE ANY TRIGGER and another with CREATE ANY VIEW to demonstrate how these privileges can be abused to gain DBA privileges. In fact, a user who […]

See How To Hack Oracle Using Dangling Cursor Snarfing

David Litchfield published a paper demonstrating how an unclosed or dangling cursor created and used by DBMS_SQL can lead to a security hole.

I ran his proof of this vulnerability on my Oracle Database 10g Express Edition database.

Connected as SYS:

SQL> CREATE OR REPLACE PROCEDURE pwd_compare(p_user VARCHAR) IS 2 cursor_name INTEGER; 3 […]

A Couple of Podcasts About PL/SQL and Oracle Security

SearchOracle.com has just published a couple of interesting podcasts.

The first, titled Expert says PL/SQL change needed in Oracle 11g, is an interview with Steven Feuerstein.

In the interview, Steven answers the following questions:

Considering how big OpenWorld has become, should there be a separate conference for PL/SQL developers? Your session at the conference was entitled “Ten things you […]

links for 2006-10-06

Everything you wanted to know about SQL injection Review of several types of SQL injection attacks and how they occur and what web developers and end users can do to prevent them. […]

Screencasts: Cracking WEP, Tunneling Exploits and More

I stumbled upon this website which has the following interesting screencasts demonstrating the use of a penetration testing tool for Linux:

Tunneling Exploit WEP Cracking Spoof attack Client side attack

(IE may not display the screencasts correctly. Best viewed in Firefox)

It also has this interesting, and rather disturbing, animated GIF image:

click to see it in action

And finally, a web page […]

Oracle Security Podcast With Pete Finnigan

I have just finished listening to a very interesting podcast interview with Pete Finnigan (via SearchOracle.com). Pete discusses the problems with Oracle PL/SQL wrapping and hopes that Oracle releases all the built-in PL/SQL packages unwrapped as clear text, as in open source, so that everyone can help with finding bugs. Pete also advises DBAs to […]

Top ten tips for better password management

There is an article on Silicon.com about how companies can manage their passwords. The author offers the following tips for fostering a culture of secure and more effective password management:

Passwords must not be written down. Passwords must be set. When the password is “ChangeMe”, then change it. Require as few passwords as possible. Balance how much password […]