I had a conversation with someone on email over a few days last week about exploits that could be demonstrated against version 7 and 8 databases still in production that could not be patched for alert 68. What they wanted to do was demonstrate whether these versions are still affected by the alert but cannot be patched. The conversation was about revealing knowledge of exploits that could then be used to demonstrate whether there is an issue. This conversation got me thinking later about the Oracle exploits that are public - e.g. exploit code can be found somewhere on the net. There are a number of locations on the net that include exploit code for Oracle software such as the Packet Storm website. Some of the commercial scanners such as Application Security Inc's AppDetective and NGS Softwares Squirel include implicit knowledge of some exploits if not as such divulging the actual exploit to the public. Free tools such as Nessus also include checks for Oracle security issues. With Nessus you can examine the code and see that in a lot of cases a check to see if the software is exploitable is done simply by checking versions. What about when someone wants to be sure about whether their installation is vulnerable? - The only way sometimes is t use real exploits.
So it got me thinking about adding some links to known Public Oracle exploit code on my site. Then another thought crossed my mind - To do so would involve adding a new menu item again and that would mean me power editing all the existing pages. So i started to think about whether I could use blog software as a content management system for the whole of my web site. I am using http://www.noahgrey.com/greysoft/ - (broken link) greymatter now for this web log and as its template based i should be able to use it to generate pages for my existing site so making it easier to extend the structure of the static part of the site and also to add content. So i have spent a couple of hours reading about greymatter templates in more detail this evening - It makes a change from surfing for Oracle info. :)....
Anyway now I am considering whether it’s worth learning more about greymatter templates and converting the whole site or indeed using another blog software such as Movable Type. It is really down to whether it’s a better use of my time to bite the bullet and learn the templates or to simple power edit. I will add an exploits page to my site in the next few days to link to the publicly known exploits that I known about. I think this could be useful for those interested in Oracle security.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Interesting discussion on DBMS_SUPPORT versions"] [Next entry: "Default password lists and updates"]
November 2004
- Another good paper by Howard Rogers on read-only tables - 11/01/2004 by 11/01/2004
- The 9.2.0.6 patch set is out - 11/02/2004 by 11/02/2004
- Nice four part paper on label security by Jim Czuprynski - 11/03/2004 by 11/03/2004
- Howard Rogers has a new ebook out - 11/04/2004 by 11/04/2004
- Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner - 11/05/2004 by 11/05/2004
- Post on ORACLE-L : Exploring Oracle November 2004 and REMOTE_OS_AUTHENT - 11/06/2004 by 11/06/2004
- Two great papers and tools by Tim Gorman - 11/07/2004 by 11/07/2004
- A lot of new pages on my site - 11/08/2004 by 11/08/2004
- A new Oracle default password checking tool is available - 11/09/2004 by 11/09/2004
- Small update to the default password check scripts - 11/10/2004 by 11/10/2004
- Colin Maxwell talks about securing web services using JDev and WS-Security - 11/11/2004 by 11/11/2004
- Hack notes books - 11/12/2004 by 11/12/2004
- Interesting discussion on DBMS_SUPPORT versions - 11/13/2004 by 11/13/2004
- Exploits and blog software - 11/14/2004 by 11/14/2004
- Default password lists and updates - 11/15/2004 by 11/15/2004
- 600 Oracle default usernames/passwords available - 11/16/2004 by 11/16/2004
- Two more "takes" on the Gartner / Oracle exploit information release reluctance - 11/17/2004 by 11/17/2004
- An interesting case of information disclosure - 11/18/2004 by 11/18/2004
- Three more news sites are talking about the new patch schedule - 11/19/2004 by 11/19/2004
- More news on the new patch schedule - 11/20/2004 by 11/20/2004
- Frank Nimphius talks about showing/hiding UIX components based on isUserInRole() - 11/21/2004 by 11/21/2004
- Amis blog - shows how to create a certificate and configure OC4J to use it - 11/22/2004 by 11/22/2004
- Oracle secalert_us have sent out emails to tell some customers about the quarterly patch schedule - 11/23/2004 by 11/23/2004
- And still more news stories - 11/24/2004 by 11/24/2004
- Colin Maxwell talks about reducing the scope for encryption - 11/25/2004 by 11/25/2004
- James Morle's book is available as a free pdf - 11/26/2004 by 11/26/2004
- Edward Stangler talks about running catpatch - 11/27/2004 by 11/27/2004
- Looks like 9.2.0.6 is available on more platforms now - 11/28/2004 by 11/28/2004
- A good list of Oracle security check items - 11/29/2004 by 11/29/2004
- Edward Stanglers next post in the not running catpatch.sql series - 11/30/2004 by 11/30/2004
Archives
Syndication
Powered by gm-rss 2.0.0
