[Previous entry: "Oracle applications auditing"] [Next entry: "Tales of the Oak Table - Dave Ensors comments on Oracle security"]
more info on DBMS_SYSTEM.KSDWRT
October 27th, 2004 by Pete
Post to del.icio.us
Post to Furl
I talked about DBMS_SYSTEM.KSDWRT yesterday in an entry to this web log about the security dangers involved in using DBMS_SYSTEM.KSDWRT to write arbitrary text strings to the alert log. I have just received an email about this issue pointing out that the entire database will crash if an overly long string is passed to this function rather than simply a session crash or denial of service.
This can only be fixed by applying the patches from alert 68. A good practice if you do use this function is to wrapper the function with code of your own to check the length of the parameters used. Keep the parameter lengths to suitable values such as 80 characters so that the text fits on a standard screen or any other suitably short value. This will also enable you to still use long strings but they would be transposed to multiple calls to DBMS_SYSTEM.KSDWRT.
The ideal situation is to not allow access to this package or its functions.
November 22nd, 2004 at 04:04 pm
b1ackh0le says:
is this possibleto access throw oracle http server,if we give the proper privilage?
regards