Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 86 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » November 2004 » An interesting case of information disclosure

[Previous entry: "Colin Maxwell talks about WS-Security in JWSDP 1.5"] [Next entry: "Slight update to the default password check scripts"]

An interesting case of information disclosure

November 18th, 2004 by Pete


I was surfing the orablogs website the other day and found an entry in Duncan Mills weblog that looked interesting. he writes an Oracle weblog and I noticed a security related post so my interest was piqued. The post is not directly related to Oracle security itself but was in part related. Duncan reported some hacker attempt to get into his site by trying to exploit ssh. The reason that they did this is because of a previous posting to his blog - One thing leads to another that talked about his project to create a JSF based blog application. The final paragraph of this entry talked about how he had set up ssh to access the groundside.com site for people who were going to help in the project. He also announced that he had work to do in tightening the security.

This whole blog entry reminded me of some work I did on the new SANS 6 day hands on "Securing Oracle Track" that I have been writing for SANS. I covered information leakage in one of the modules, indeed i briefly mentioned the same in the book Oracle security step by step - A survival guide for securing Oracle. I did some research into this issue when writing about it for SANS. Quite frankly it is amazing in Oracle database and server terms and application terms what information some companies will leak to the Internet, either in newsgroups, mailing lists or even on corporate websites.

I have seen all manner of information, such as network configurations, usernames, passwords even, IP Addresses, applications used, third party and in-house, job specifications, even security policies and guidelines (very useful for a hacker to know the password policies!). I have even seen the source code for the authentication recently for a web based application that will interact with an Oracle database posted to a newsgroup where one of the developers wanted to ask a question.

This is a key lesson that companies need to learn. If you post details of IP Addresses, usernames, passwords and applications structure and even source code to the Internet or post your policies and working practices to publicly accessible web sites you should not be surprised if you get attacked.

Companies need to educate employees on these issues, its important.

I think in Duncan's case itís a lot less worrying as itís a public project anyway and he doesn't have live production data that can be lost to worry about. Also the main point is he understands the issue.

There has been 4 Comments posted on this article


November 19th, 2004 at 09:11 am

Mr. Ed says:

Is information about Apache under Oracle (at Oracle) a security problem, too?



November 19th, 2004 at 04:54 pm

Pete Finnigan says:

I have just looked at the page you reference on Tom Kytes site. Its an interesting page and includes two comments from Tom in terms of information leakage, The first being that the configuration is taken from an internal server using mod_gzip and mod_plsql - also further down in the example there is an entry from a log file that shows an IP address and a URL. A quick check on www.whois.sc shows that this is probably an external IP Address as it is allocated to Oracle.

So yes, this is a leakage of information that should not really have occured. A server has been identified, the software running on it is identified as are some configuration details.



November 23rd, 2004 at 10:30 pm

Duncan Mills says:

Of course in my case I could have been a simple port scan that found the SSH port open through the firewall, I assumed it was the Blog posting based on the timing.
The comment will self destruct in 5 seconds...



November 24th, 2004 at 02:50 pm

Pete Finnigan says:

Hi Duncan,

Yes it could have been but usually there is no such thing as a coincidence, probably your posting had something to do with it,

kind regards

Pete


November 2004
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930    

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!