Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

issues with an Oracle8i parameter fixed_date

From: Pete Finnigan <pete () peterfinnigan demon co uk>
Date: Mon, 19 Nov 2001 21:26:09 +0000
Hi All

As a lot of people have been interested in what I have written in the
recent past about Oracle security on the pen-test list I thought I would
share a recent issue I found on an Oracle security pentest / audit with
everyone on this list. This is not a bug in oracle but a test parameter
provided by Oracle that can be used maliciously. 

An application we looked at used the oracle system date SYSDATE quite
extensively in its functionality and calculations. It was possible to
cause mis-calculations in the system by altering a system parameter.

I have written a short paper describing this if anyone is interested.
Its at http://www.pentest-limited.com/fixed-date.htm.

regards,
Pete Finnigan
www.pentest-limited.com

-- 
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan () pentest-limited com

www.pentest-limited.com
Previous By Date Next
Previous By Thread Next

Current thread: