lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 21 Nov 2006 17:15:29 -0000
From: "David Litchfield" <davidl@...software.com>
To: "Alexander Kornbrust" <ak@...-database-security.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Which is more secure? Oracle vs. Microsoft

> But you are comparing apples and oranges. Oracle is a much more complex
> product and has a lot more features than SQL Server. It's a little bit 
> like
> comparing an Airbus with a Cesna. Both are airplanes...

I disagree. The amount of attack surface has everything thing to do with 
security robustness.

> Oracle 10g Rel. 2 for example has 17,261 PL/SQL- functions and procedures
> (select count(*) from all_procedures, default installation with samples).

Exactly my point. Oracle should install with as few components as possible - 
it should be secure out of the box - and it is not.

> The following bugs are Oracle application server bugs (Oracle Portal 
> 9.0.2)
> and  not RDBMS bugs. Oracle looks a little bit better now (- 6 security 
> bugs)...
>
> wwv_form.genpopuplist SQL Inj., Alert 61, CVE-2003-1193
> wwv_ui_lovf.show SQL Inj., Alert 61, CVE-2003-1193
> ORG_CHART.SHOW SQL Inj., Alert 61, CVE-2003-1193
> wwa_app_module.link SQL Inj., Alert 61, CVE-2003-1193
> wwv_dynxml_generator.show, Alert 61,CVE-2003-1193

You're wrong. Whilst they might be installed with the portal app these are 
PL/SQL packages in the database server. If you want these removed then I 
should remove the SQLXML stuff from SQL Server as it's an add on component.

> The SOAP bug (Alert 65) is not a RDBMS bug
>    (see
> http://www.oracle.com/technology/deploy/security/pdf/2004alert65.pdf)

Again you're wrong. If you take another look at the link you provided it 
says that "Oracle9i Database Server Release 2, versions 9.2.01 and later" 
are affected. The problem lies in soap.jar and can be exploited via the 
RDBMS.

Cheers,
David

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ