Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Stephen Kost ( has released an analysis of the mod_plsql 0-day bug / workaround"] [Next entry: "patch set does not include latest security fixes!"]

Alex has described a new work around for the mod_plsql 0-day bug

Alex yesterday released an update to his page "SQL Injection via mod_plsql". In ths update Alex describes a new workaround for this issue that has been suggested by Vladimir Zakharychev from Webrecruiter. This works by setting the parameter always_describe to ON up to 3.0.9.x.x and in higher versions the parameter PlsqlAlwaysDescribeProcedure to ON.

When this is ON, mod_plsql describes all procedures before running them, so if a hacker tries to inject code it will fail the describe. Alex warns that there are performance issues with enabling this parameter.