From: David Litchfield (davidlngssoftware.com)
Date: Tue Nov 21 2006 - 11:15:29 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> But you are comparing apples and oranges. Oracle is a much more complex
> product and has a lot more features than SQL Server. It's a little bit
> like
> comparing an Airbus with a Cesna. Both are airplanes...

I disagree. The amount of attack surface has everything thing to do with
security robustness.

> Oracle 10g Rel. 2 for example has 17,261 PL/SQL- functions and procedures
> (select count(*) from all_procedures, default installation with samples).

Exactly my point. Oracle should install with as few components as possible -
it should be secure out of the box - and it is not.

> The following bugs are Oracle application server bugs (Oracle Portal
> 9.0.2)
> and not RDBMS bugs. Oracle looks a little bit better now (- 6 security
> bugs)...
>
> wwv_form.genpopuplist SQL Inj., Alert 61, CVE-2003-1193
> wwv_ui_lovf.show SQL Inj., Alert 61, CVE-2003-1193
> ORG_CHART.SHOW SQL Inj., Alert 61, CVE-2003-1193
> wwa_app_module.link SQL Inj., Alert 61, CVE-2003-1193
> wwv_dynxml_generator.show, Alert 61,CVE-2003-1193

You're wrong. Whilst they might be installed with the portal app these are
PL/SQL packages in the database server. If you want these removed then I
should remove the SQLXML stuff from SQL Server as it's an add on component.

> The SOAP bug (Alert 65) is not a RDBMS bug
> (see
> http://www.oracle.com/technology/deploy/security/pdf/2004alert65.pdf)

Again you're wrong. If you take another look at the link you provided it
says that "Oracle9i Database Server Release 2, versions 9.2.01 and later"
are affected. The problem lies in soap.jar and can be exploited via the
RDBMS.

Cheers,
David

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]