Full Disclosure mailing list archives
Re: Which is more secure? Oracle vs. Microsoft
From: "David Litchfield" <davidl () ngssoftware com>
Date: Tue, 21 Nov 2006 17:15:29 -0000
But you are comparing apples and oranges. Oracle is a much more complex product and has a lot more features than SQL Server. It's a little bit like comparing an Airbus with a Cesna. Both are airplanes...
I disagree. The amount of attack surface has everything thing to do with security robustness.
Oracle 10g Rel. 2 for example has 17,261 PL/SQL- functions and procedures (select count(*) from all_procedures, default installation with samples).
Exactly my point. Oracle should install with as few components as possible - it should be secure out of the box - and it is not.
The following bugs are Oracle application server bugs (Oracle Portal 9.0.2) and not RDBMS bugs. Oracle looks a little bit better now (- 6 security bugs)... wwv_form.genpopuplist SQL Inj., Alert 61, CVE-2003-1193 wwv_ui_lovf.show SQL Inj., Alert 61, CVE-2003-1193 ORG_CHART.SHOW SQL Inj., Alert 61, CVE-2003-1193 wwa_app_module.link SQL Inj., Alert 61, CVE-2003-1193 wwv_dynxml_generator.show, Alert 61,CVE-2003-1193
You're wrong. Whilst they might be installed with the portal app these are PL/SQL packages in the database server. If you want these removed then I should remove the SQLXML stuff from SQL Server as it's an add on component.
The SOAP bug (Alert 65) is not a RDBMS bug (see http://www.oracle.com/technology/deploy/security/pdf/2004alert65.pdf)
Again you're wrong. If you take another look at the link you provided it says that "Oracle9i Database Server Release 2, versions 9.2.01 and later" are affected. The problem lies in soap.jar and can be exploited via the RDBMS. Cheers, David _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 20)
- Re: Which is more secure? Oracle vs. Microsoft endrazine (Nov 21)
- <Possible follow-ups>
- Re: Which is more secure? Oracle vs. Microsoft David Kierznowski (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft Alexander Kornbrust (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft Alexander Kornbrust (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)