Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Week of Oracle Database Bugs

Posted by ryuzaki0 on from the your-turn dept.

os2man writes "After the Month of Browser Bugs and the Month of Kernel Bugs, December will have a Week of Oracle Database Bugs. This project will release, every day for a week, a new 0-day bug specific to Oracle in order to show the current status of its [in]security. They are currently asking for new bugs, in order to extend the publication of new exploits a few more days."

3 of 56 comments (clear)

  1. Great by Spritzer · · Score: 4, Interesting

    Maybe they should look at security issues with Oracle's Discoverer client as well. It's pretty sad when having "@" in your password will compromise every character that follows within your password. For example, if ODB password were Sl@shd0t! and the database to connect to were BOB, at the next login the Connect field would be filled with shd0t!@BOB. Not a huge issue, but certainly a risk if multiple people with varying permissions/responsibilities in Oracle have access to a machine with Discoverer.

  2. Re:um yeah by ajs · · Score: 3, Interesting

    It does make sense, but it's just not very smart.

    This is a group of (or singular) kiddies who want to make Oracle look bad. That's fine, and Oracle is a big company that I'm sure can take care of itself (C&D paperwork is probably burning out toner cartriges by the gross at Oracle HQ as we speak). My concern is that folks that are good at security testing, but too young to know how to direct their efforts constructively are going to destroy their fledgling careers before they get started. Many such bright kids these days assume that they'll make a name for themselves, and then the consulting bucks will roll in. Problem is that the wrong kind of press can lead to SOME work, but far less than you would have gotten by building a reputation in the industry through the quality of your work and references.

    As with security, in the job/consulting world social engineering is often a better approach than trying to pick the lock on the front-door.

  3. Discovered in our DB class by Tawnos · · Score: 3, Interesting

    Not necessarily a security bug, but it can be annoying. This comes from the project description, as a warning when trying to do natural joins for the project.
    This query:

            select ordid, lineno, orderdate
                      , descrip "Description"
                      , total
            from ord natural join item natural join product

    is evaluated incorrectly in Oracle 10g (rel. 10.2.0.1).

    Compare its output with the correct results generated by this query:

              select ordid, lineno, orderdate
                        , descrip "Description"
                        , total
              from item natural join product natural join ord

    or this:

            select ordid, lineno, orderdate
                      , descrip "Description"
                      , total
            from ord natural join (item natural join product)

    or this:

            select ordid, lineno, orderdate
                      , prodid
                      , descrip "Description"
                      , total
            from ord natural join item natural join product

    This solution:

            select ordid, lineno, orderdate
                      , descrip "Description"
                      , total
            from (ord natural join item) natural join product

    does not work either. The optimizer insists on doing a cartesian product between ORD and PRODUCT.

    This is a new bug. It does not exist in Oracle 9i, which evaluates all queries correctly.