Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 63 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » October 2004 » more info on DBMS_SYSTEM.KSDWRT

[Previous entry: "Oracle applications auditing"] [Next entry: "Tales of the Oak Table - Dave Ensors comments on Oracle security"]


October 27th, 2004 by Pete

I talked about DBMS_SYSTEM.KSDWRT yesterday in an entry to this web log about the security dangers involved in using DBMS_SYSTEM.KSDWRT to write arbitrary text strings to the alert log. I have just received an email about this issue pointing out that the entire database will crash if an overly long string is passed to this function rather than simply a session crash or denial of service.

This can only be fixed by applying the patches from alert 68. A good practice if you do use this function is to wrapper the function with code of your own to check the length of the parameters used. Keep the parameter lengths to suitable values such as 80 characters so that the text fits on a standard screen or any other suitably short value. This will also enable you to still use long strings but they would be transposed to multiple calls to DBMS_SYSTEM.KSDWRT.

The ideal situation is to not allow access to this package or its functions.

There has been 2 Comments posted on this article

November 22nd, 2004 at 04:04 pm

b1ackh0le says:

is this possibleto access throw oracle http server,if we give the proper privilage?

November 22nd, 2004 at 05:25 pm

Pete Finnigan says:

The default is that no normal users have been granted access to this package so it should not be possible to exploit it unless access to a user with rights to execute this package is available. e.g - the DBA has granted execute privileges on it. Whether it can be executed remotely via the HTTP server will depend on setup.

October 2004

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!