tag:blogger.com,1999:blog-4357333041761721262012-02-16T19:11:21.474ZThe rants of a Oracle Database Security Consultant. 1521 is the unofficial port of the Oracle database listener.Simon Fletcherhttp://www.blogger.com/profile/09412451086711899558noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-435733304176172126.post-86779686390659163352010-02-20T09:30:00.001Z2010-02-20T15:59:57.972Z2010-02-20T15:59:57.972Z

The Oracle database initialization parameter SQL92_SECURITY is an often overlooked security parameter. Either because people don't understand it or because they think it's irrelevant.So what does it do? Well, to quote the documentation:"The SQL92 standards specify that security administrators should be able to require that users have SELECT privilege on a table when executing an UPDATE or DELETE <img src="http://feeds.feedburner.com/~r/fifteentwentyone/~4/vpehNVT1hlA" height="1" width="1"/>

Simon Fletcherhttp://www.blogger.com/profile/09412451086711899558noreply@blogger.com1http://blog.fifteentwentyone.co.uk/2010/02/sql92security.htmltag:blogger.com,1999:blog-435733304176172126.post-57424796651169619502010-02-08T13:23:00.019Z2010-02-09T10:51:28.018Z2010-02-09T10:51:28.018Z

David Litchfield of NGS Software recently gave a presentation at Black Hat DC 2010 entitled "Hacking Oracle11g". In this presentation he discloses a couple of vulnerabilities that allow an unprivileged database user to execute arbitrary commands on the database host. In Linux/Unix environments this mean running commands as the Oracle owner (normally "oracle") and on Windows environments as "<img src="http://feeds.feedburner.com/~r/fifteentwentyone/~4/UFunp6HRGWE" height="1" width="1"/>

Simon Fletcherhttp://www.blogger.com/profile/09412451086711899558noreply@blogger.com0http://blog.fifteentwentyone.co.uk/2010/02/responsible-disclosure.htmltag:blogger.com,1999:blog-435733304176172126.post-34241682089302405272009-11-27T08:54:00.014Z2010-02-09T10:45:11.215Z2010-02-09T10:45:11.215Z

My first rant on this blog might as well be one of my favourites, although regrettably a bit long... I frequently see on customer sites database profiles implemented for application users but not for database administrators or default accounts (e.g. SYS &amp; SYSTEM). Okay basic refresh: Database profiles enforce resource and password restrictions on database user accounts. It’s these password <img src="http://feeds.feedburner.com/~r/fifteentwentyone/~4/VSoQrMHAAMA" height="1" width="1"/>

Simon Fletcherhttp://www.blogger.com/profile/09412451086711899558noreply@blogger.com0http://blog.fifteentwentyone.co.uk/2009/11/database-profiles.html