Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Dump"] [Next entry: "Oracle is finally listening to customers about fix times and security patch quality"]

Doug has posted an intersting note about executing of SQL script from URL's



I saw Dougs post tonight titled " http://oracledoug.blogspot.com/2006/01/something-else-i-didnt-know.html - (broken link) Something Else I Didn't Know that talks about the fact that SQL scripts can be executed not just from scripts on the file system but also from URL's. I was aware of this feature and the fact that it is not well known. This feature is a security risk as it means that cross site scripting could be possible against a database using SQL. It could also be possible to use dns spoofing to trick an existing set up that uses SQL*Plus with URL located files to execute other files. I can also conceive of ways that a hacker could get access to SQL*Plus on the server remotely and get it to run an external script located on his own site. This is in cases where the database is behind a firewall and not normally accessible to users who wish to run SQL*Plus.

Think carefully about using this feature and its implications.