Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle applications auditing"] [Next entry: "Tales of the Oak Table - Dave Ensors comments on Oracle security"]


I talked about DBMS_SYSTEM.KSDWRT yesterday in an entry to this web log about the security dangers involved in using DBMS_SYSTEM.KSDWRT to write arbitrary text strings to the alert log. I have just received an email about this issue pointing out that the entire database will crash if an overly long string is passed to this function rather than simply a session crash or denial of service.

This can only be fixed by applying the patches from alert 68. A good practice if you do use this function is to wrapper the function with code of your own to check the length of the parameters used. Keep the parameter lengths to suitable values such as 80 characters so that the text fits on a standard screen or any other suitably short value. This will also enable you to still use long strings but they would be transposed to multiple calls to DBMS_SYSTEM.KSDWRT.

The ideal situation is to not allow access to this package or its functions.

There has been 2 Comments posted on this article

November 22nd, 2004 at 04:04 pm

Pete Finnigan says:

is this possibleto access throw oracle http server,if we give the proper privilage?

November 22nd, 2004 at 05:25 pm

Pete Finnigan says:

The default is that no normal users have been granted access to this package so it should not be possible to exploit it unless access to a user with rights to execute this package is available. e.g - the DBA has granted execute privileges on it. Whether it can be executed remotely via the HTTP server will depend on setup.