Re: Which is more secure? Oracle vs. Microsoft

["Alexander Kornbrust" <ak () red-database-security com>]

David,

Thank you for your answer.
 
AK> > The following bugs are Oracle application server bugs (Oracle Portal
AK> > 9.0.2)
AK> > and  not RDBMS bugs. Oracle looks a little bit better now (- 6 
AK> > security bugs)...

AK> > wwv_form.genpopuplist SQL Inj., Alert 61, CVE-2003-1193 
AK> > wwv_ui_lovf.show SQL Inj., Alert 61, CVE-2003-1193 
AK> > ORG_CHART.SHOW SQL 
AK> > Inj., Alert 61, CVE-2003-1193 wwa_app_module.link SQL Inj., 
AK> > Alert 61, 
AK> > CVE-2003-1193 wwv_dynxml_generator.show, Alert 61,CVE-2003-1193

DL> You're wrong. Whilst they might be installed with the portal 
DL> app these are PL/SQL packages in the database server. If you 
DL> want these removed then I should remove the SQLXML stuff from 
DL> SQL Server as it's an add on component.
DL> 

That's not true. Or do you think that everything installed IN the database
is an Oracle database bug? Many Oracle and non-Oracle applications are
installing PL/SQL packages into the database, e.g. APEX, PORTAL, Reports,
SAP, ...  

Could you explain why PORTAL30.wwv_form.genpopuplist (CVE-2003-1193) is a
RDBMS bug but APEX.wwv_flow_utilities.gen_popup_list (CVE-2006-5351) is NOT
a database bug? 

Both are PL/SQL packages from an additional application (Portal vs.
APEX/HTMLDB) but the second bug is NOT covered in your paper.  

Whatever you say the numbers in your paper are not correct (too high or too
low) ;-). Probably you must add 35 APEX bugs to the next revision of your
paper. But at the moment the numbers are inconsistent.



AK> > The SOAP bug (Alert 65) is not a RDBMS bug
AK> >    (see
AK> > 
AK> http://www.oracle.com/technology/deploy/security/pdf/2004alert65.pdf )

DL> Again you're wrong. If you take another look at the link you 
DL> provided it says that "Oracle9i Database Server Release 2, 
DL> versions 9.2.01 and later" 
DL> are affected. The problem lies in soap.jar and can be 
DL> exploited via the RDBMS.

That's your opinion. If you read the advisory carefully you see that this
bug affects only installations with Oracle HTTP Server (OHS). Do you think
that soap.jar is part of the database or part of the HTTP Server? If HTTP is
not installed there was no problem. In 2004 Oracle used the a different
wording than 2006.

[... extract from advisory ...]
Required Conditions for Exploit
Access to SOAP enabled servers. Both XML and SOAP are installed by default
in Oracle9i
Application Server and Oracle9i Database Server when the Oracle HTTP Server
is installed.
[...]

Why is the SOAP bug covered by your paper but DB12-DB24 from CPU April 2005
(http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf) are
not covered. DB12-DB24 e.g. are part of the Oracle HTTP Server but installed
by the some database installations.


Cheers,

 Alexander 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/