Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Turkey, Germany, York, Holland and the Oak Table book"] [Next entry: "SANS 2010 CWE/SANS Top 25 Most Dangerous Programming Errors"]

SQL Injection and Java exploits



It has been a while since my last blog post as I have been extremely busy over the last weeks and this blog post is being posted straight after finishing a customer training session using the clients internet connection (with permission!) before i disapear off site.

If you would like to book my how to perform a security audit of an Oracle database training class at your site, please drop me an email (see my contacts page), it is very popular at present and providing benefits to a lot of people on both public classes and also private classes. We do fixed prices for up to 2 people, up to 4 people and up to 8 people. We can of course accomodate more people but this is unusual for private classes but not for public ones.

I was emailed by Mike Smithers last week to let me know about his very nice article about SQL injection posted to his blog and titled "Self-Inflicted SQL Injection â€" don’t quote me !". Mike kindly let me know but I have had little time to read it until i finally did so this lunch time. The article is very nice and concentrates on the issue of objects created in the database that are themselves injection payloads. This can be an object or a user (which of course is still an object in the dictionary). This idea has been around for quite a while but its nice to see a paper on it.

Also David released a new idea on exploiting Java at Blackhat which included a 0-Day exploit against Oracle. The exploit is shown in Sumit Siddarths blog in a post titled http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/HackingOracle11g (broken link) - which also includes a link to Davids blackhat presentation video. Paul has written a short paper titled "Securing Java in Oracle" that gives some details of the vulnerability and also some ideas on securing against in in the absense of a patch. Its nice to see that Paul has included some of the ideas on checking in depth (i.e. packages that use packages ect and ad-infinitum) that i have been talking about in presentations for a few years at places such as the UKOUG and also in my training classes. I will also be covering these ideas and more in two webinars for Sentrigo in a few weeks time (see the links on my home page to register for the talks. One is on European time and one on US time. Nice paper Paul!