Full Disclosure mailing list archives
Re: Which is more secure? Oracle vs. Microsoft
From: "Alexander Kornbrust" <ak () red-database-security com>
Date: Tue, 21 Nov 2006 19:14:52 +0100
David, Thank you for your answer. AK> > The following bugs are Oracle application server bugs (Oracle Portal AK> > 9.0.2) AK> > and not RDBMS bugs. Oracle looks a little bit better now (- 6 AK> > security bugs)... AK> > wwv_form.genpopuplist SQL Inj., Alert 61, CVE-2003-1193 AK> > wwv_ui_lovf.show SQL Inj., Alert 61, CVE-2003-1193 AK> > ORG_CHART.SHOW SQL AK> > Inj., Alert 61, CVE-2003-1193 wwa_app_module.link SQL Inj., AK> > Alert 61, AK> > CVE-2003-1193 wwv_dynxml_generator.show, Alert 61,CVE-2003-1193 DL> You're wrong. Whilst they might be installed with the portal DL> app these are PL/SQL packages in the database server. If you DL> want these removed then I should remove the SQLXML stuff from DL> SQL Server as it's an add on component. DL> That's not true. Or do you think that everything installed IN the database is an Oracle database bug? Many Oracle and non-Oracle applications are installing PL/SQL packages into the database, e.g. APEX, PORTAL, Reports, SAP, ... Could you explain why PORTAL30.wwv_form.genpopuplist (CVE-2003-1193) is a RDBMS bug but APEX.wwv_flow_utilities.gen_popup_list (CVE-2006-5351) is NOT a database bug? Both are PL/SQL packages from an additional application (Portal vs. APEX/HTMLDB) but the second bug is NOT covered in your paper. Whatever you say the numbers in your paper are not correct (too high or too low) ;-). Probably you must add 35 APEX bugs to the next revision of your paper. But at the moment the numbers are inconsistent. AK> > The SOAP bug (Alert 65) is not a RDBMS bug AK> > (see AK> > AK> http://www.oracle.com/technology/deploy/security/pdf/2004alert65.pdf ) DL> Again you're wrong. If you take another look at the link you DL> provided it says that "Oracle9i Database Server Release 2, DL> versions 9.2.01 and later" DL> are affected. The problem lies in soap.jar and can be DL> exploited via the RDBMS. That's your opinion. If you read the advisory carefully you see that this bug affects only installations with Oracle HTTP Server (OHS). Do you think that soap.jar is part of the database or part of the HTTP Server? If HTTP is not installed there was no problem. In 2004 Oracle used the a different wording than 2006. [... extract from advisory ...] Required Conditions for Exploit Access to SOAP enabled servers. Both XML and SOAP are installed by default in Oracle9i Application Server and Oracle9i Database Server when the Oracle HTTP Server is installed. [...] Why is the SOAP bug covered by your paper but DB12-DB24 from CPU April 2005 (http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf) are not covered. DB12-DB24 e.g. are part of the Oracle HTTP Server but installed by the some database installations. Cheers, Alexander _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 20)
- Re: Which is more secure? Oracle vs. Microsoft endrazine (Nov 21)
- <Possible follow-ups>
- Re: Which is more secure? Oracle vs. Microsoft David Kierznowski (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft Alexander Kornbrust (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft Alexander Kornbrust (Nov 21)
- Re: Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)