On 2/4/06, Mladen Gogala <gogala@xxxxxxxxxxxxx> wrote: > > > On 02/04/2006 08:20:41 PM, Jared Still wrote: > > https://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=1696291.993 > > Are you referring to Oracle's reaction to David Litchfield's findings? > -- > Mladen Gogala > http://www.mgogala.com > > Yes. I see the text is available now. It seemed very interesting as Litchfield has grown increasingly frustrated with Oracle regarding the patching of serious security holes. Oracle's response to this is rather more candid that what is usually seen, and seems to indicate Oracle's increasing frustration with Litchfield. Questions that arise from this, and have certainly arisen a number of times previously to this: * If the only people that know about these security holes are researchers that devote considerable time to finding these holes, what is gained by releasing the info before the patches are available? (no know exploits for most of these have been found in the wild) * Is this just a ploy by Litchfield to gain publicity, or is it one-upmanship among security researchers? I mean no disrespect to Litchfied, but the question must be asked. Litchfield released a workaround for this hole, but it has not had the extensive testing that Oracle must do before releasing a workaround to be applied to http.conf. From bugtraq: RewriteEngine on RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack A reply to Litchfields post on bugtraq stated that this workaround breaks HTMLDB. ( excuse me: Oracle Application Express ) Oracle states that this will also break eBusiness Suite. The state of Oracle security has been somewhat questionable as of late. Some of Litchfield's frustration is understandable, as some flaws in Oracle have been uncorrected for literally years after they were notified of the problems. Frustration on the part of the lowly DBA increases as well. Here we are, applying non trivial patches (which sometimes need to be done twice if you are an unfortunate early adopter), knowing full well that there are known issues that are not addressed by the patch. Even those problems that are addressed by security problems are not always corrected, requiring only a small change in the exploit to get around the security 'fix'. So, while Oracle and the researchers duke it out, the DBA's and other customers of Oracle are caught in the middle. Gotta go now, breakfast is ready. :) -- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist