Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "O'Reilly CodeZoo"] [Next entry: "Frank talks about the OWASP security conference"]

Alex Kornbrust has released a new paper SQL Injection in Oracle Forms

I just got an email from Alex to let me know that he has just released a new paper called "SQL Injection in Oracle Forms" that talks about a SQL Injection issue that is inherent in all default installations of Oracle Forms. This is because it is possible to simply pop up a "Query/Where" window that allows the user to enter any SQL statement. Alex demonstrates how this can be used to send results of a query to an external website using UTL_HTTP. Alex also talks about simple fixes to rectify the problem.

The paper is also available in German.

This issue should be fixed in CPU April 12 due very soon!