Pete Finnigan's Oracle Security Weblog

I had a comment posted to the blog entry I made yesterday about information disclosure. This entry yesterday was prompted by Duncan's post about someone trying to hack the groundside.com web site. The comment posted to my entry by Mr Ed asked if a post he found on Tom Kytes AskTom web site was an example of the sort of disclosure customers of Oracle or indeed any company using computer systems and applications should avoid giving out on public forums. The post he sited is Apache under Oracle. This post seems innocuous but it displays some data that should not be posted to a public web site. My answer to Mr Ed's comment is repeated here:

"I have just looked at the page you reference on Tom Kytes site. Its an interesting page and includes two comments from Tom in terms of information leakage, The first being that the configuration is taken from an internal server using mod_gzip and mod_plsql - also further down in the example there is an entry from a log file that shows an IP address and a URL. A quick check on www.whois.sc shows that this is probably an external IP Address as it is allocated to Oracle.

So yes, this is a leakage of information that should not really have occurred. A server has been identified; the software running on it is identified as are some configuration details."

This is a good example of public information - on Tom’s website - that leaks information that probably should not have been leaked.

Everyone who posts on newsgroups, mailing lists, weblogs and even company websites or forums that are exposed to the Internet should be very careful about what they write. Companies should actually create a business policy that lays down the rules and this should be given to all staff to understand and digest. Set penalties for users who disregard the policy. If an information item gets onto the Internet then it’s very hard to eradicate it. Posts get archived and copied all over the place.

It can be possible to also to regulate the information outflow but impossible to prevent all information outflow of this nature. Companies can regulate access to certain forums, sites, even emails but that won't stop use of anonymous emails and web surfing or even posting from home.

That said companies should take the time to create a simple policy that defines the type of data that should not be leaked and should educate staff and enforce the policy. It is important to make staff aware of why this is a good idea, often if people understand the risks it becomes second nature to not divulge information that should not be divulged.