Vulnerability Development mailing list archives
issues with an Oracle8i parameter fixed_date
From: Pete Finnigan <pete () peterfinnigan demon co uk>
Date: Mon, 19 Nov 2001 21:26:09 +0000
Hi All As a lot of people have been interested in what I have written in the recent past about Oracle security on the pen-test list I thought I would share a recent issue I found on an Oracle security pentest / audit with everyone on this list. This is not a bug in oracle but a test parameter provided by Oracle that can be used maliciously. An application we looked at used the oracle system date SYSDATE quite extensively in its functionality and calculations. It was possible to cause mis-calculations in the system by altering a system parameter. I have written a short paper describing this if anyone is interested. Its at http://www.pentest-limited.com/fixed-date.htm. regards, Pete Finnigan www.pentest-limited.com -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan () pentest-limited com www.pentest-limited.com
Current thread:
- issues with an Oracle8i parameter fixed_date Pete Finnigan (Nov 19)