SecurityRatty: Musings on Database Security

Tapulous MySQL Error and SQL Injection vulnerability

2010-01-07 03:38:59 by Slavik in Musings on Database Security

Ive talked about displaying errors from the database on the user screen a while ago. In my opinion, this is definitely a big no-no and a security problem just waiting to happen. As some of you know, I have an iPhone (and I like it a lot, but thats another story). Ive installed a nice little

Tags: iphone, lot, story, errors, ago, nice, database, opinion, no-no

Getting closer to a national breach notification law

2010-01-04 16:41:19 by Slavik in Musings on Database Security

In the midst of all the excitement around healthcare reform, the fact that both the house and senate made some progress on their (separate) bills for protecting personal information hasnt received the attention it deserves. Sure, I think were up to 46 states that now have their own breach notification laws, but simplifying this and

Tags: breach notification laws, personal information, healthcare reform, house, attention, deserves, progress, bills, midst

New years resolutions & predictions

2009-12-23 22:37:59 by Slavik in Musings on Database Security

As another year comes to a close, its time for both new years resolutions as well as predictions. On the resolutions front, I hope to be much more active on my blog next year. As we grow as a company, I seem to have less time for my musings, as I spend more time with customers

Tags: resolutions, time, resolutions front, predictions, active, blog, hope, close, customers

CREATE TABLE to OSDBA

2009-10-27 15:43:55 by Slavik in Musings on Database Security

Paul Wright has written an excellent paper on an interesting way to attack Oracle using external tables. It just goes to show that any permission can be abused in the right circumstances. Im still amazed that UTL FILE is still granted to PUBLIC by default. Anyways, great work, Paul

Tags: paul wright, paul, external tables, attack oracle, excellent paper, utl file, circumstances, permission, default

Oracle October 2009 CPU

2009-10-21 12:47:41 by Slavik in Musings on Database Security

Oracle has released the October CPU with 38 announced security fixes (and more under the covers). 16 database vulnerabilities out of which a mind blowing 6 may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Also, 3 of those will allow you to

Tags: database vulnerabilities, oracle, security fixes, october cpu, remotely exploitable, network, authentication, username, password

Blind SQL Injection in Oracle

2009-10-13 16:48:36 by Slavik in Musings on Database Security

Im doing a lot of presentations where I mention SQL injection and even show detailed examples of both injecting applications and injecting stored program units within the database. What Id like to do in this post is describe SQL injection types, give concrete examples for a web applications and Oracle and talk a bit about blind

Tags: concrete examples, applications, web applications, mention sql injection, examples, blind, oracle, program units, lot

Effective and Efficient Regular Expressions

2009-10-08 19:39:53 by Slavik in Musings on Database Security

Another guest post by Roy Fox, Sentrigos Head of Security Research. Here is a list of things worth considering when using regular expressions. Some of the tips are Hedgehog related. Use predefined character sets You should usually prefer using predefined character sets, such as d, to explicit ones, such as [0-9]. Some character sets provide...

Tags: regular expressions, character sets, guest post, sentrigos head, roy fox, security research, explicit, prefer, hedgehog

New FPGA-based Oracle passwords cracker

2009-10-05 15:41:55 by Slavik in Musings on Database Security

Dennis Yurichev just dropped me a note about his new web front end for his FPGA-based password cracker. Looks very interesting as now you can write some interesting PL/SQL code to crack passwords directly from the database using this available web interface. Right now, it appears that most users are the usual suspects testing it

Tags: crack passwords directly, dennis yurichev, plsql code, password cracker, web front, usual suspects, web interface, users, appears

Oracle client changing the program name in the session

2009-10-02 01:39:29 by Slavik in Musings on Database Security

I always wondered how Oracle Client knows to send my program name to the server process to be stored in x$ksuse (v$session). I had my assumptions but finally I had a chance to verify them as a fellow developer asked me this question. Ive created a simple ocitest C program to connect to Oracle and select

Tags: oracle, oracle client, program, server process, fellow developer, xksuse, vsession, question, chance

RBS WorldPay site got hacked

2009-09-23 09:39:12 by Slavik in Musings on Database Security

OK, it looks like this was a test site but nevertheless it makes you wonder. Leaving web application vulnerable to SQL injection and entire databases out there without protection is a sure way to get yourself hacked. It doesnt even matter if the site was a test site (I hope it was) but weve seen many

Tags: site, test site, web application vulnerable, entire databases, sql injection, protection, hope, matter

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo