Oracle security flaw.

Kula · Post by **Kula** » Thu Jan 26, 2006 4:30 pm

http://www.foxnews.com/story/0,2933,182910,00.html

Nikore · Post by **Nikore** » Thu Jan 26, 2006 4:47 pm

*SMACKS KULA* you should NEVER post anything from fox news, fox news is not news its some reality show that has shitty ratings.

As for the actual security flaw, I don’t see how this is any more or less dangours then any of the other security flaws for computers. I mean basically this flaw will allow people to root the DB, well if your root the computer the DB is on you accomplish the same task. That and Oracle has a pretty good history in security when it comes to there software.

The real story there is that Oracle is pull the same shit as Microsoft when it comes to fixing their stuff. Being all ninja secretive like. I have a better article about it here Click here

edit: to fix my tags sorry, use to html not BBCode

Kula · Post by **Kula** » Thu Jan 26, 2006 5:02 pm

From what I understand from a few discussions with DBA's at the company I used to work for.....root access of the box does not grant you any particular access to the database.....and visa versa.

Fallakin Kuvari · Post by **Fallakin Kuvari** » Thu Jan 26, 2006 5:11 pm

Nikore wrote:*SMACKS KULA* you should NEVER post anything from fox news, fox news is not news its some reality show that has shitty ratings.

What do you watch, the Communist News Network?

Nikore · Post by **Nikore** » Thu Jan 26, 2006 5:49 pm

Fallakin Kuvari wrote:
Nikore wrote:*SMACKS KULA* you should NEVER post anything from fox news, fox news is not news its some reality show that has shitty ratings.
What do you watch, the Communist News Network?

No, I dont watch the news I read it for the most part. I usally read the BBC they seem to be the best.

Kula,

Im not a DBA but I am a NA and trust me if you root the DB server you can access the files the tables are written too and if you know how you can alter the tables by hand. Thus rooting the DB while your at it, now if you only root the DB you might not be able to access the actual system. Meaning, if you root the DB and get shell access to the DB normally you can use an escape char to access the shell below it, and you'll normally have the same level access your DB account has. This depends on how you have the server set up and the type of access controls you have set up. I have rooted my own DB several times becaues I forgotten the retartedly long password I assign to the root account of it. But I use MySQL for the most part.

Post by **Ddrak** » Thu Jan 26, 2006 11:42 pm

I hate companies that bitch about full disclosure of bugs and make the researchers out to be the bad guys. Here's a clue - the bad guys know about this shit long before anyone else, making it public is only going to make sysadmins aware of the issue and find their own way to close the hole while the company bitches and moans about fixing it.

And yeah - rooting the server will give you access to the db simply because you can edit the db files directly and change the password underneath the database. Most DBAs don't think like that though.

Dd

Nikore · Post by **Nikore** » Fri Jan 27, 2006 1:04 am

Yeah, I agree! Its completely retarded that these companies bitch when any one else but them find a bug and publish about it. I can't find the article but some dude got sued by Cisco because he found a flaw in there routing software and then wrote a patch and talked about it at one of the Hacker Conventions (think it was DefCon). Cisco was claming that be doing this he was helping the "bad guys" and giving them the code necessary to do some "serious" damage. It was completely retarded, like on the level of RIAA retardation.