Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Pete Finnigan (petepeterfinnigan.demon.co.uk)
Date: Mon Nov 19 2001 - 15:26:09 CST
As a lot of people have been interested in what I have written in the
recent past about Oracle security on the pen-test list I thought I would
share a recent issue I found on an Oracle security pentest / audit with
everyone on this list. This is not a bug in oracle but a test parameter
provided by Oracle that can be used maliciously.
An application we looked at used the oracle system date SYSDATE quite
extensively in its functionality and calculations. It was possible to
cause mis-calculations in the system by altering a system parameter.
I have written a short paper describing this if anyone is interested.
Its at http://www.pentest-limited.com/fixed-date.htm.
-- Pete Finnigan IT Security Consultant PenTest Limited
Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885