Re: Slightly OT: Java in the DB

In article <OFF4102CD0.9E44E977-ON88256E44.0009FF5F-88256E44.000A24CA_at_ra disys.com>, Jared.Still_at_radisys.com writes
>I'm not a security expert, but it seems to me there are some
>exploits you would need to take into consideration.
>
>SQL Injection comes to mind.

Hi Mike,

I think Jared is right. This sounds like a hackers paradise. I hope that you are not exposing this functionality to the Internet and your web page is only available from within your company. I have doubts about your admin database as well, if a hacker gains access to it he will have a spring board to all other databases in your company complete with lists of users and possibly a way to hack passwords. Even info about which accounts are locked or becoming expired.

Jared is right about SQL injection and there are potentially many other ways to hack your databases as well. You should have a read of some of the papers on my site that I have written specifically about Oracle security. particularly there are three about SQL Injection and you should also take a look at the security checklists further down the page.

The link is http://www.petefinnigan.com/orasec.htm

I can see your need to do this but opening up your databases like this could land you in trouble. Have you considered LDAP / single sign on instead?

hth
kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------