Musings on Database Security

Oracle CPU - October 2008

Slavik — Wed, 15 Oct 2008 11:08:29 +0000

It’s that time of the quarter again. Oracle just released another CPU, this time with 15 DB vulnerabilities compared with the 11 in the July CPU and 15 in April. There are also some interesting vulnerabilities for Oracle EBS and application server. Sentrigo is represented by Guy Pilosof and myself in the credits section. The vulnerabilities [...]

Oracle OpenWorld

Slavik — Tue, 30 Sep 2008 07:18:05 +0000

Well, Oracle OpenWorld came and went. As usual, I hardly had any time to attend sessions. The one really cool session I attended ( besides my own ) was by Tanel Poder talking about troubleshooting Oracle when the Oracle instrumentation does not work. See his blog for details. I really loved his straight forward [...]

SQL Server 2008 - DBCC BYTES

Slavik — Fri, 19 Sep 2008 16:24:22 +0000

I’ve just noticed that Microsoft had removed the DBCC BYTES command from DBCC. On 2005: DBCC TRACEON(2588) DBCC HELP (’?') GO activecursors addextendedproc addinstance auditevent autopilot buffer bytes cacheprofile cachestats callfulltext checkalloc checkcatalog checkconstraints checkdb checkfilegroup checkident checkprimaryfile checktable cleantable clearspacecaches collectstats concurrencyviolation cursorstats dbrecover dbreindex dbreindexall dbrepair debugbreak deleteinstance detachdb dropcleanbuffers dropextendedproc config dbinfo dbtable lock log page resource dumptrigger errorlog extentinfo fileheader fixallocation flush flushprocindb forceghostcleanup free freeproccache freesessioncache freesystemcache freeze_io help icecapquery incrementinstance ind indexdefrag inputbuffer invalidate_textptr invalidate_textptr_objid latch loginfo mapallocunit memobjlist memorymap memorystatus metadata movepage no_textptr opentran optimizer_whatif outputbuffer perfmon persiststackhash pintable proccache prtipage readpage renamecolumn ruleoff ruleon semetadata setcpuweight setinstance setioweight show_statistics showcontig showdbaffinity showfilestats showoffrules showonrules showtableaffinity showtext showweights shrinkdatabase shrinkfile sqlmgrstats sqlperf stackdump tec thaw_io traceoff traceon tracestatus unpintable updateusage useplan useroptions writepage cleanpage DBCC execution completed. If DBCC printed error messages, contact your system administrator. While running the same thing on 2008 does not contain DBCC BYTES. I wonder what’s the reason for this change (I’ve checked the binary and it does not contain [...]

Database statements that can make you tear out your hair

Slavik — Thu, 28 Aug 2008 23:52:11 +0000

Its been a long time since I’ve written anything here. I’ve been extremely busy with my family move to the bay area. I still can’t believe the amount of paperwork required. I’ve filled virtually hundreds of forms and it’s not over yet. But, after a month here, I can say that we’ve finally settled down. [...]

SQL Injection and separation of duties

Slavik — Sun, 22 Jun 2008 14:42:49 +0000

Adrian Lane writes in his blog entry about separation of duties on the application level. While I agree with his sentiments I also know how hard it is to do so from the application development side. In most applications , database connections are using connection pooling. Creating such a separation makes the development process a [...]

Mass SQL Injection attack is still out there

Slavik — Fri, 20 Jun 2008 13:22:34 +0000

Well, it was an interesting day today for us in Sentrigo. One of our customers was being attacked by this mass SQL injection and since our software identified the attack he came to us to help him cope with the situation. As explained in other places, the attack takes advantage of vulnerable web sites and [...]