Musings on Database Security

CREATE TABLE to OSDBA

Slavik — Tue, 27 Oct 2009 19:23:12 +0000

Paul Wright has written an excellent paper on an interesting way to attack Oracle using external tables. It just goes to show that any permission can be abused in the right circumstances. I’m still amazed that UTL_FILE is still granted to PUBLIC by default. Anyways, great work, Paul!

Oracle October 2009 CPU

Slavik — Wed, 21 Oct 2009 16:23:13 +0000

Oracle has released the October CPU with 38 announced security fixes (and more under the covers). 16 database vulnerabilities out of which a mind blowing 6 may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Also, 3 of those will allow you to [...]

Blind SQL Injection in Oracle

Slavik — Tue, 13 Oct 2009 18:19:31 +0000

I’m doing a lot of presentations where I mention SQL injection and even show detailed examples of both injecting applications and injecting stored program units within the database. What I’d like to do in this post is describe SQL injection types, give concrete examples for a web applications and Oracle and talk a bit about blind [...]

Effective and Efficient Regular Expressions

Slavik — Thu, 08 Oct 2009 23:00:24 +0000

Another guest post by Roy Fox, Sentrigo’s Head of Security Research. Here is a list of things worth considering when using regular expressions. Some of the tips are Hedgehog related. Use predefined character sets You should usually prefer using predefined character sets, such as \d, to explicit ones, such as [0-9]. Some character sets provide locale and Unicode [...]

New FPGA-based Oracle passwords cracker

Slavik — Mon, 05 Oct 2009 16:53:31 +0000

Dennis Yurichev just dropped me a note about his new web front end for his FPGA-based password cracker. Looks very interesting as now you can write some interesting PL/SQL code to crack passwords directly from the database using this available web interface. Right now, it appears that most users are the usual suspects testing it [...]

Oracle client – changing the program name in the session

Slavik — Fri, 02 Oct 2009 05:57:58 +0000

I always wondered how Oracle Client knows to send my program name to the server process to be stored in x$ksuse (v$session). I had my assumptions but finally I had a chance to verify them as a fellow developer asked me this question. I’ve created a simple ocitest C program to connect to Oracle and select [...]