Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Meet the experts (Oracle Security) at Oracle Open World - an open standard for securing Oracle"] [Next entry: "Larry Ellison speaks about fixing security bugs"]

A new paper on a security hole in Application Server Control

I received an email from Dirk Nachbar to let me know that he has released a new paper concerning a security hole in the application server control. If you want to trace Forms Sessions out of the Application Server Control Web Front end you have to provide a Hostuser name and his password (normally the Oracle Software Installation user: oracle). This Information, the Username and Password will be displayed in the URL and stored in clear text in a logfile. Dirk also provides a workaround for the bug how to avoid this behaviour. At the moment the WhitePaper is only available in German, but will be available soon in English. The paper is titled "Forms tracing im Application Server Control Eine Sicherheitslucke?"