Archive for August, 2008

New Oracle bugs and BSQL Hacker

Mittwoch, August 20th, 2008

Today I reported 6 new security vulnerabilities to Oracle (2 Data Vault, 2 Auditing, 1 Discoverer, 1 Password Verification Function). Even if Oracle Security is getting better (see also discussion on Pete’s Blog) there are still enough bugs available.

Portcullis Labs released their free scanner BSQL Hacker for detecting blind sql injection. BSQL Hacker is supporting Oracle, MSSQL and MySQL. At the moment I have no time to play longer with this tool but it looks promising (see video).

July 2008 CPU Advisory – Windows Patch update for Oracle

Samstag, August 9th, 2008

Yesterday night I got the following email from Oracle support:


Dear Oracle Customer,

You are receiving this email because our records indicated you downloaded Critical Patch Update July 2008 (CPUJul2008) patch for one or more of the following:

o    Oracle Database for the following platforms:
o    Windows 32-bit (Patch 7047034)
o    Windows 64-bit (Patch 7047037)

Symptom and cause of issue
The Database Windows Bundle Patch #26 did not correctly install the sdotopo.jar file.

Workaround if any
Please follow the following manual steps to install sdotopo.jar.

>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar sdotopo.jar_save
>cd <windows bundle patch location>
>cd files\md\lib
>copy sdotopo.jar %ORACLE_HOME%\md\lib\sdotopo.jar

In the event  you need to rollback to the previous sdotopo.jar:

>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar_save sdotopo.jar

These steps are also documented in MetaLink Note 579285.1  ¿Critical Patch Update July 2008 Database Known Issues

Follow the manual steps noted above to install the sdotopo.jar file..

Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.

Oracle Global Product Support