Hi All As a lot of people have been interested in what I have written in the recent past about Oracle security on the pen-test list I thought I would share a recent issue I found on an Oracle security pentest / audit with everyone on this list. This is not a bug in oracle but a test parameter provided by Oracle that can be used maliciously. An application we looked at used the oracle system date SYSDATE quite extensively in its functionality and calculations. It was possible to cause mis-calculations in the system by altering a system parameter. I have written a short paper describing this if anyone is interested. Its at http://www.pentest-limited.com/fixed-date.htm. regards, Pete Finnigan www.pentest-limited.com -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan@pentest-limited.com www.pentest-limited.com
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 14:50:17 PST