(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)
David has released his latest paper which investigates how by changing NLS variables an attacker can inject SQL into functions that do not normally take varchar input e.g. those that accept dates. Also functions that do not take input but that do rely on NLS variables are similarly affected. Lateral thinking. Here is the paper [...]
Oracle Middle tier applications usually use Java which is why I have been working on Java Security both at work and for SANS in terms of training at http://www.sans.org/london07/description.php?tid=1517 and presenting http://www.sans.org/sans2008/night.php. Here are the Powerpoint notes in PDF from my latest presentation javasecurity.pdf given April 22nd at SANS Orlando.
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html April 2008 CPU came out at 9.00pm UK time tonight as normal. Two of the vulnerabilities are ones that I found whilst working at NGS and are both PL/SQL injections but the most critical bug is the JInitiator JVM bug… Java Vulnerabilities are the subject of a Presentation I am giving next week at [...]
