Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Interesting comments about the David Litchfield bug and the Duncan Harris interview"] [Next entry: "Many ways to become a DBA presentation updated"]

Details published about the mod_plsql 0-day bug

Alex has produced a detailed analysis of the "SQL injection bug via mod_plsql" on his website. Alex took almost all of the information in his analysis from the mod_plsql log file. It took Alex only a few minutes in modplsql debug mode to work out how to exploit this bug. This is actually very easy to exploit and in fact the biggest clue to how to exploit this is in Davids post to bugtraq. This is an un-fixed bug and quite serious due to it being internet facing. David's suggestions to use mod_rewrite rules are good but as Alex points out this may not work in older versions due to it being legal to use URL's with function names with brackets.