Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "PL/SQL Package with no DEFINER or INVOKER rights - Part 2"] [Next entry: "XS$NULL - Can we login to it and does it really have no privileges?"]

Bug Bounty

There has been a rise on bug bounty programs and websites that help researchers find and disclose bugs to website and other owners with the hope of a payout from the owner of the vulnerable wesbsites. Some big well known websites have their own bounty programs and pay researchers for finding critical bugs in their sites that could potentially cause them financial issues if someone breached the websites and stole content.

These sites that offer bug bounties are in principal OK and I don't have an issue BUT I keep getting emails from various bug bounties and also individual researchers that tell me that they have found a security issue in my website. The problem for me is that over last quite a few years I have had the same bug reported to me maybe more than 20 times. I have kept quiet about this every time until now but I want to post now a blog to discuss this bug and hope that future researchers may read this and may not cause me to spend time responding and saying the same thing over and over.

Yesterday afternoon I received notification from a bug bounty website; actually 13 notifications; 13 exact same emails from them stating the same thing. Someone had found a security flaw in my website. Also the email (s) states something like:

DISCLAIMER: we have no direct or indirect relations with security researchers. We only verify the issue/bug and notify asap.

And before that it states something like:

Following ISO/IEC 29147 standard guidelines, we verified the vulnerability's existence before contacting you. Please contact the researcher direct to find details of the bug and if we sent this in error please forward it

The emails from them never state what the issue actually is and instead says that you have to contact the researcher. If you go to the websites details page for the issue also states:

we as a non-profit, never act as an intermediary between website owners and security researchers. we only verify and publish when fixed and during the notification period.

So basically, they collect bugs, do not accept any responsibility for what's reported and state that they will never get involved in any discussion on the bugs reported. This time the researcher responded promptly and courteously and agreed that it wasn't actually a bug and I asked him to remove the entry from the bug website but the entry page still exists and it says the bug was patched - not true. This is in fact happened multiple times; apparently I have patched this bug many times - not true. The last time (or maybe two times ago; I don't remember for sure) it took a lot of effort to get the researcher to agree that it was not a bug; in fact that time the researcher would not accept my word and would not remove the issue from the bug website. I got no help from the bug website either. This time (yesterday) the researcher was good and accepted it and was very polite. Whilst these issues keep happening and I keep getting reports of the same bug my site appears in these bounty websites list of vulnerable websites. I noticed higher than normal traffic yesterday and it may be a coincidence but having your website added to a list of vulnerable websites doesn't help; probably.

So what is this bug that people keep finding. Well put this search string in Google:

filetype:sql password

And my website comes third for the page "Oracle Default Passwords - Pete Finnigan". Open that page and at the top you will see:

-- This file part of a free tool to audit Oracle database
-- default passwords that may still be present. The tool is
-- presented here http://www.petefinnigan.com/default/default_password_checker.htm
-- This link shows how to install and run this tool in your Oracle database
--
-- This file is NOT a dump of user passwords from petefinnigan.com.

insert into osp_accounts
(product
, security_level
, username
, password
, hash_value
, commentary
) values (
'Oracle'
,3
,'BRIO_ADMIN'
,'BRIO_ADMIN'
,'EB50644BE27DF70B'
,'BRIO_ADMIN is an account of a 3rd party product.'
)
/
...

So, obviously this is not an SQL file for passwords or accounts for my website. This is part of a free tool to check for Oracle default passwords in peoples Oracle databases. It even states it in the comments in the file that this is not a part of my website and not passwords for my website.

So, please if you are a researcher please read the comments in that SQL file first before you report it; its not a vulnerability, it's part of a free tool to help people with Oracle Security

Also bug programs; when you accept a bug like this please verify it properly and read the contents of the url that's reported as a bug and then reject it. How many reports do these sites actually reject?

Finally bug programs; please also consider that sending 13 identical emails to someone where there is no existing business relationship and no consent to receive those emails is considered an issue in Europe now. Justifying that its reporting a bug is fine but not 13 times.

In fact, posting this blog post will show the same passwords again and more detailed Google dorks that maybe look for SQL inserts and the word password may direct future researchers to this page as well.

In summary; nothing wrong with reporting bugs but it should be done with responsibility; I.e. researcher check first; the program reported to should also do the proper checks that they claim many times to do and make some efforts to send one email to the contact email not to 13 random guesses.