42 bugs in Oracle Metalink - revealing sensitive customer data

<< Oracle buys Innobase | Mysql Insert Delayed = Oracle Insert Behaviour ? >>

Sun, 05/29/2005 - 01:34 — Christoph C. Cemper

Now that's a mess… in Oracle Bug Database Susceptible to 'Metalink Hacking' I just read about the Oracle security research firm Red Database Security GmbH that has found 42 bugs, some serious, in Oracle Corp.'s Metalink knowledge base, and determined that it's possible to search Oracle's bug database for customer e-mails, used configurations, test cases and other sensitive information in a foray similar to "Google hacking."

Quote:

"Within 42 hours I was able to find 42 bugs with security potential (e.g., denial of service, SQL Injection, …)," RDS' Alexander Kornbrust said from Germany via an e-mail conversation. "I stopped after 42 bugs." He said he then reported the bugs to Oracle.

the bugs are not addressed by Oracle's latest security patch set
Oracle could not provide formal feedback to the report

let's hope Oracle finds the time to address such issues soon and with good PR consultation because

Quote:

What makes the vulnerabilities particularly disturbing, security experts say, is that Oracle has built up such a rich repository in its Metalink forum.

Average rating

(0 votes)

Comments

Sat, 07/23/2005 - 01:53 — Brian Robb (not verified)