Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "On Security, Is Oracle the Next Microsoft?"] [Next entry: "Some testing of orabf (Oracle password cracker) speed by Marcel-Jan"]

A nice fix for the Overwrite any file via desname in Oracle Reports bug

I got an email from Jens-Uwe Peterson of http://www.trivadis.com - (broken link) Trivadis GmbH this evening to tell me of a paper written by one of his colleagues Dirk Nachbar who has studied the desname bug in detail and has provided a workable solution for it. His paper is titled http://www.trivadis.com/Images/OASSecurityHoleE_11092005_tcm17-14060.pdf - (broken link)A security hole in Oracle application server (reports) and how to fix it.

This is the bug whereby the desname parameter can be used to overwrite any system file. This is a great paper and well worth reading if you have or run Oracle Reports. Dirk has studied the issue in great detail and has proposed a sound solution using mod_rewrite rules.