Musings on Database Security

Salesforce errors

Slavik — Sat, 06 Feb 2010 19:45:04 +0000

As part of my continued crusade to get rid of all database errors returned from the application to the user, one of our developers sent me the following error message coming from Salesforce.com: SF Error So, what can we learn from the error? SF uses Java as a backend SF uses Oracle as the database The application is programmed using [...]

David Lichtfield in the Oracle cross-hairs (again…)

Slavik — Thu, 04 Feb 2010 02:18:23 +0000

Yesterday at Black Hat, David released information on his latest find, a pretty serious batch of vulnerabilities in Oracle 11g which allows any user to escalate privileges to gain complete access & control of the database. What’s interesting here is not so much that there is yet another vulnerability (for those of you who are running [...]

Scanning random IPs for Oracle Listener

Slavik — Sat, 30 Jan 2010 00:02:56 +0000

Dennis wrote an interesting blog entry about an experiment he conducted. He found that out of roughly every 69,000 randomly scanned IP addresses, there is one open Oracle TNS Listener. That’s interesting because we all know that there are numerous attacks on (even fully patched) listeners that do not require any authentication. Looking at the listener versions, you can [...]

Oracle January 2010 CPU

Slavik — Wed, 13 Jan 2010 23:20:20 +0000

Ah, time flies when you’re having fun. It seams that only yesterday we worked on the October CPU and now Oracle released the January CPU. This time, Oracle acknowledged 24 security fixes, 9 of them in the database layer. This number is a bit lower than the average but as in the previous CPU, you have [...]

Tapulous MySQL Error and SQL Injection vulnerability

Slavik — Thu, 07 Jan 2010 06:36:08 +0000

I’ve talked about displaying errors from the database on the user screen a while ago. In my opinion, this is definitely a big no-no and a security problem just waiting to happen. As some of you know, I have an iPhone (and I like it a lot, but that’s another story). I’ve installed a nice little [...]

Getting closer to a national breach notification law

Slavik — Mon, 04 Jan 2010 22:14:56 +0000

In the midst of all the excitement around healthcare reform, the fact that both the house and senate made some progress on their (separate) bills for protecting personal information hasn’t received the attention it deserves. Sure, I think we’re up to 46 states that now have their own breach notification laws, but simplifying this and [...]