Oracle...Most Insecure Database!

i have suficient prove.
check this and read it carefully..
http://www.appsecinc.com/presentations/Search_Engine_Attack_Database.pdf
thats why icant resist to say that despite oracle adding to flexibility by enabling web access or else browser based computing. this is a very dangerous loophole.
note, am not against oracle. NO. but the truth is i tried this and ma conclusion..,there are very many insecure databases out there. tuning is desired. oracle maybe a hero in the field, but u'll agree with me the fastest moving cars crash the loudest, else cause the worst accidens. u have to do somethin, i easily did this, i tel u easy, tune those dbs there and reply here to educate others,,plz!

I think the subject line for this post is incorrect. I don't think Oracle is inherently more insecure than any other database. Most if not all of the vulnerabilities in the paper you link to are the result of poor configuration on the part of the database installers, not the least of which is a failure to understand the role of the robots.txt file. Many other systems apart from Oracle databases can be hacked by anybody with a modicum of Google Fu.
Anybody who finds their database has been hacked by somebody who's read that paper has failed to read and implement Metalink Note: #131752.1. Lewis cunninghma recently wrote a useful article recently on hardening passwords. And of course, there's Pete Finnegan's excellent site, a veritable cornucopia of Oracle security resources.
Still, this is a useful paper and one which people ought to read.
Cheers, APC

Similar Messages

  • Install APEX to work on existing Oracle 10g R1 database

    I want to use APEX on an existing Oracle 10g R1 database. If I install it normally with the program downloaded from your site, it installs its own database that you use.
    How can I set / install it to use the existing database instead of its own database?
    Elsie Pretorius

    Hi guys,
    Thanks for the info and input. Is there anybody have sucessfully done this. Most of the info that out there, the README in the patchset all pointing to upgrading the OCS, not installing the OCS on top of an existing 10g AS and DB. I'm thinking installing the OCS R2, and then patching and upgrade it to 9.0.4.2 or 4.3 and then point or move it to the existing 10AS and DB. This is where I'm quit blur at the moment.
    Anyway thank for all the info.
    Regards
    Din

  • Oracle TimesTen In-Memory Database VS Oracle In-Memory Database Cache

    Hi,
    What is difference in Oracle TimesTen In-Memory Database VS Oracle In-Memory Database Cache.
    For 32 bit on windows OS i am not able to insert data's more than 500k rows with 150 columns (with combinations of CHAR,BINARY_DOUBLE,BINARY_FLOAT, TT_BIGINT,REAL,DECIMAL,NUMERIC etc).
    [TimesTen][TimesTen 11.2.2.2.0 ODBC Driver][TimesTen]TT0802: Database permanent space exhausted -- file "blk.c", lineno 3450, procedure "sbBlkAlloc"
    I have set Perm size as 700 mb,Temp size as 100mb
    What is the max size we can given for PermSize,TempSize,LogBufMB for 32 bit on windows OS.
    What is the max size we can given for PermSize,TempSize,LogBufMB for 64 bit on windows OS.
    What is the Max configuration of TT for 32 bit what i can set for Perm size Temp size.
    Thanks!

    They are the same product but they are licensed differently and the license limits what functionality you can use.
    TimesTen In-Memory Database is a product in its own right allows you to use TimesTen as a standalone database and also allows replication.
    IMDB Cache is an Oracle DB Enterprise Edition option (i.e. it can only be licensed as an option to an Oracle DB EE license). This includes all the functionality of TImesTen In-Memory Database but adds in cache functionality (cache groups, cache grid etc.).
    32-bit O/S are in general a poor platform to try and create an in-memory database of any significant size (32-bit O/S are very limited in memory addressing capability) and 32-bit Windows is the worst example. The hard coded limit for total datastore size on 32-bit O/S is 2 GB but in reality you probably can;'t achieve that. On Windows the largest you can get is 1.1 GB and most often less than that. If you need something more than about 0.5 Gb on Windows then you really need to use 64-bit Windows and 64-bit TimesTen. There are no hard coded upper limit to database size on 64-bit TimesTen; the limit is the amount of free physical memory (not virtual memory) in the machine. I have easily created a 12 GB database on a Win64 machine with 16 GB RAM. On 64-bit Unix machines we have live database of over 1 TB...
    Chris

  • Error while creating a datasource in planning 9.3.1 on oracle 11.2 database

    I am unable to create datasource in planning 9.3.1 on oracle 11.2 database. I have configure sharedservices and registered planning with shared servers. I am unable to create data source after application deployment and instance creation.
    I am getting the following error,
    Launching Hyperion Configuration Utility Program
    HYPERION_HOME: C:\Hyperion
    In HspDBPropertiesLocationPanel constructor
    In HspDBPropertiesLocationPanel queryEnter
    Resource Bundle is java.util.PropertyResourceBundle@322394
    Product Name in file is PLANNING
    Availability Date is 20051231
    Creating rebind thread to RMI
    Resource Bundle is java.util.PropertyResourceBundle@322394
    Product Name in file is PLANNING
    Availability Date is 20051231
    $$$$$$$$$$$$$ dname is
    Resource Bundle is java.util.PropertyResourceBundle@322394
    Product Name in file is PLANNING
    Availability Date is 20051231
    Exception in thread "AWT-EventQueue-0" java.lang.UnsatisfiedLinkError: no HspEss
    baseEnv in java.library.path
    at java.lang.ClassLoader.loadLibrary(Unknown Source)
    at java.lang.Runtime.loadLibrary0(Unknown Source)
    at java.lang.System.loadLibrary(Unknown Source)
    at com.hyperion.planning.olap.HspEssbaseEnv.<clinit>(Unknown Source)
    at com.hyperion.planning.olap.HspEssbaseJniOlap.<clinit>(Unknown Source)
    at com.hyperion.planning.HspJSHomeImpl.TestEssConnection(Unknown Source)
    at com.hyperion.planning.HspDSEssbasePanelManager.TestEssConnection(HspD
    SEssbasePanelManager.java:156)
    at com.hyperion.planning.HspDSEssbasePanelManager.queryExit(HspDSEssbase
    PanelManager.java:132)
    at com.hyperion.cis.config.wizard.ProductCustomInputPanel.queryExit(Prod
    uctCustomInputPanel.java:114)
    at com.installshield.wizard.awt.AWTWizardUI.doNext(Unknown Source)
    at com.installshield.wizard.awt.AWTWizardUI.actionPerformed(Unknown Sour
    ce)
    at com.installshield.wizard.swing.SwingWizardUI.actionPerformed(Unknown
    Source)
    at com.installshield.wizard.swing.SwingWizardUI$SwingNavigationControlle
    r.notifyListeners(Unknown Source)
    at com.installshield.wizard.swing.SwingWizardUI$SwingNavigationControlle
    r.actionPerformed(Unknown Source)
    at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
    at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
    at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Sour
    ce)
    at java.awt.Component.processMouseEvent(Unknown Source)
    at javax.swing.JComponent.processMouseEvent(Unknown Source)
    at java.awt.Component.processEvent(Unknown Source)
    at java.awt.Container.processEvent(Unknown Source)
    at java.awt.Component.dispatchEventImpl(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Window.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)
    But, My essbase server is up and running. I am able to connect it through EAS.

    It looks like more of an issue with connecting to essbase, usually "java.lang.UnsatisfiedLinkError: no HspEssbaseEnv in java.library.path" means planning has not been installed or deployed correctly, what OS is it running on?
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Sequencing and Trigger on Oracle 9i lite database

    We created a schema (TESTSCHEMA) on Oracle 8.1.7 Enterprise edition and have a created a trigger which will use the sequence object to generate primary key for the table (TEST_TABLE)
    Sequence creation:
    CREATE SEQUENCE TESTSCHEMA.TEST_TABLE_SEQUENCE START WITH 6000 INCREMENT BY 1 MINVALUE 6000 MAXVALUE 6999 NOCACHE NOCYCLE NOORDER ;
    Trigger creation:
    CREATE OR REPLACE TRIGGER TEST_TABLE INSERT BEFORE INSERT ON TEST_TABLE FOR EACH ROW
    DECLARE
    pkValue NUMBER;
    BEGIN
    pkValue := 0;
    Select TEST_TABLE_SEQUENCE.NextVal into pkValue from dual;
    :NEW.TEST_KEY := pkValue;
    END TEST_TABLE_INSERT;
    We have created a snapshot of the schema on mobile server, synchronized the data with the client (Win32 for testing purpose).
    The trigger works fine on the server, but when I run the same query on the lite database with msql it gives me an error:
    [POL-3221] null key in primary index
    I was wondering if Sequence generation and Triggers are supported on Oracle 9i lite database ? Or am I missing out something ??
    Any information/ help is appreaciated
    Thanks
    Neeraj

    You can't use SAVEPOINT / ROLLBACK TO SAVEPOINT statements in the database trigger:
    ORA-04092: cannot SET SAVEPOINT in a trigger
    ORA-04092: cannot ROLLBACK in a trigger
    I am not sure what you need exactly, but you can try this:
    Simulating ROLLBACK TO SAVEPOINT Behavior in a Database Trigger
    http://www.quest-pipelines.com/pipelines/plsql/tips02.htm#JUNE
    Regards,
    Zlatko Sirotic

  • Differences between Oracle 9i & 10g database

    I had a query as to what are the differences between Oracle 9i & 10g database. I have heard of a partioning feature which is there in 10g but not in 9i. I hope, my question is clear.
    Please, help in solving the doubt.
    regards

    Hi,
    Differences between oracle 10g and 9i
    regards
    Jafar

  • How to install the Oracle Enterprise Manager Database Tuning ?

    Hi,
    How to install the Oracle Enterprise Manager Database Tuning with the Oracle Tuning Pack
    Release 9.0.1
    And where to get download this.
    Thank u..!

    The only way you can get 9iR1 release software is by asking it to your Oracle representative. The oldest 9i release available for public download is 9iR2.
    You could try the administrative 9iR2 client, it can work with 9iR1 releases.
    ~ Madrid.

  • How to extract data from dmp file to oracle express edition database

    Hi,
    I wanted to extract a oracle dump file in oracle express edition database. Is it possible? If yes, then can anyone please guide me how to do it?
    Thanks

    Hi,
    This might help
    Backup/Export Question!
    Br,Jari

  • Uninstall Oracle 11gr2 RAC database in grid infrastructure

    Hi all,
    After several attempt to install my Oracle database RAC with grid infrastructure, i want now to do a fresh installation as i have attempted 3 times and now i have all the procedure on installing the database and RAC.
    Actually i have installed it correctly but now i want to cleanup my server and remove all oracle installation directory and do a fresh installation.
    My question is what is the procedure to uninstall an Oracle RAC database and Clusterware with grid infrastucture and cleanup oracle base installation.
    The architecture is:
    GRID and clusterware: Oracle grid 11gR2
    Database: Oracle database 11gR2
    Database and grid storage: ASM
    OS: linux centos 6
    Thank you.
    Raluce.

    The deinstallation of Oracle GI could be not so easy thing to do, because it contains many components one should be aware of.  The proper deinstall is important because it will safe you from many issues with next install on these servers
    In general we need to be sure that:
    1. all sowftware stopped properly
    2. removed from oraInventory
    3. binaries removed
    4. /etc/oracle cleared
    5. ocr and votes cleared using dd
    6. /etc/oratab updated
    7. .profile updated
    8. init.d files in /etc/ cleard
    Usually its recommended to use deconfigure scripts, if they fails for some reason, the manual procedure should be followed.
              How to Deconfigure/Reconfigure(Rebuild OCR) or Deinstall Grid Infrastructure [ID 1377349.1]
    How to Deinstall Oracle Clusterware Home Manually [ID 1364419.1]
    As general recommendation its good idea to save your crs configuration for future reference.
    Regards
    Ed Rudans
    http://erudans.blogspot.com

  • Number of available records in Oracle 10g express database

    Hi,
    I am facing problems in getting the number of available records in Oracle 10g express database with the following query.
    string filename = dbObject.FILENAME;
    string vendorID = dbObject.VENDOR_ID;
    OracleCommand myCommand = _connection.CreateCommand();
    myCommand.CommandText = "SELECT COUNT(*) FROM ASSET_PROCESSING_OUTPUT WHERE *FILENAME = :filename AND VENDOR_ID = :vendorID*";
    myCommand.CommandType = CommandType.Text;
    myCommand.Parameters.AddWithValue("filename", filename);
    myCommand.Parameters.AddWithValue("vendorID", vendorID);
    OracleDataReader reader = myCommand.ExecuteReader();
    Using this command how can I get if the record exists in the database with the given value.
    Thanks in advance.
    punit

    It appears you're only executing the statement. You need to fetch the result to see the value returned by the SELECT statement.

  • Oracle Enterprise Manager Database Control is not working properly

    Hello!
    I have a problem with Oracle Enterprise Manager Database Control, the web console. When I open the browser, instead of showing the login window, it shows the window where three arrows, the database instance, the listener, and the conection, that are red and down.
    However they are working correctly, the database is up and working, but the EM doesn't show anything else.
    Is there a way to make it work again?
    Thanks!

    The Enterprise Manager has lost sync with the database.
    The only way I know to do this remotely is to tell the OEM to shut down and/or bring up the database - twice. It'll try and fail and perhaps eventually reset it's pointers.
    I'd really like Oracle to create a 're-sync to actual state' URL ... there must be an easy way, such as flushing the collected metrics or something.

  • How to check image size in oracle 9i & 10g database

    hi,
    i have inserted an Image into a table in oracle database & I want to View the Query How to check image size in oracle 9i & 10g database
    thanks
    Edited by: user8920919 on May 30, 2010 1:43 AM

    user8920919 wrote:
    hi,
    How to check image size in oracle 9i & 10g database
    thanksWhat do you mean with "image size"?

  • Using OBIEE with Oracle Express Edition Database? SOLVED

    I have a client that wants a quick demo of OBIEE. They sent us some csv files as the data source. I migrated them to Excel files for easier use, but the Excel files seem to have limitations on how I can combine the columns, such as concatenating and formatting.
    I then loaded them into an Oracle Express Edition database, assuming more "database" functionality would be available to me. I was able to load them into the Administration Tool, but Answers gives me the following error when I try to view any results from the Express database:
    Odbc driver returned an error (SQLExecDirectW).
    Error Details
    Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 17001] Oracle Error code: 12154, message: ORA-12154: TNS:could not resolve the connect identifier specified at OCI call OCIServerAttach. [nQSError: 17014] Could not connect to Oracle database. (HY000)
    SQL Issued: SELECT COURSE_ENROLLMENT.CAMPUS saw_0 FROM BI_DEMO ORDER BY saw_0
    Thanks for any help. This is my first non-guided attempt using OBIEE.
    Edited by: markstuartnelson on Sep 29, 2008 5:22 PM

    Thanks. I got some assistance from a co-worker that is also using Express Edition. (This is also my first use of Express Edition.)
    Here is the tnsnames entry that I created, in case it helps someone else:
    DEMO_XE =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
    (CONNECT_DATA =
         (SERVER = DEDICATED)
         (SERVICE_NAME = xe)
    )

  • Oracle 9i Personal Database

    my question is a bit outdated but please do not mind me because i am just new user...
    i have install oracle 9i personal database on my local computer with windows xp professional. now when i start sql plus it request for the user name and password and host string.. what the user name and password.? when i enter the default user name sysman and password oem_temp it gives up an error ORA-12560 TNS protocol adapter error.
    same is with Enterprize Manager Console. giving option of standalone and the other... what i should do... is there any configuration required for the first time we install oracle.... or i need to connect to a server... please guide me ...
    thanks

    Hi..
    While installation of oracle you would have entred the password for the sys user, which you can use for login.
    username:- sys as sysdba
    password:- that you provided
    For ORA-12560 TNS protocol adapter error, Start --> Run --> services.msc --> OracleserviceSID --> start it.
    when i enter the default user name sysman and password oem_tempAre you sure its a 9i database.You don't have SYSMAN user by default in 9i, its only from 10g database where SYSMAN user has SYSAUX tablespace as the default one.
    Anand

  • Oracle 11.2 client connecting to Oracle 10.2 databases

    I have an application which currently uses 10.2.0.4 Oracle Client to connect to Oracle 10.2 databases using java (jdbc).
    Now I have to do setup on another linux server and looking into whether I can use 11.2 Oracle clinet avaiable on tcehnet.oracle.com to connect to
    10.2 databases. I will be using jdbc for connectivity.

    Maybe showing my ignorance here, but doesn't the application itself have to be written to use the jdbc thin driver?
    That would not be typical. A Java application will normally be modular as regards DB connections.
    1. The app itself will be written to take an instance of the 'Connection' interface
    http://docs.oracle.com/javase/6/docs/api/java/sql/Connection.html
    2. The actual 'Connection' instance will be created by a factory method or other application independent code at startup and then passed to the application code.
    Just like TNSNAMES.ORA contains the parameters for OCI connections an application will normally use a config file and/or command-line parameters for the JDBC connection parameters.
    Naturally, just like everything else, developers can always screw things up by hard coding values. Nothing you can do about that.
    See the 'Database URLs and Database Specifiers' section of the JDBC dev guide
    http://docs.oracle.com/cd/E11882_01/java.112/e16548/urls.htm#BEIJFHHB
    Database URLs are strings. The complete URL syntax is:
    jdbc:oracle:driver_type:[username/password]@database_specifier 
    Note:
      The brackets indicate that the username/password pair is optional.
      kprb, the internal server-side driver, uses an implicit connection. Database URLs for the server-side driver end after the driver_type.
    The first part of the URL specifies which JDBC driver is to be used. The supported driver_type values are thin, oci, and kprb.
    The remainder of the URL contains an optional user name and password separated by a slash, an @, and the
    database specifier, which uniquely identifies the database to which the application is connected. Some database specifiers are valid only for the JDBC Thin driver, some only for the JDBC OCI driver, and some for both.
    Then there are examples of each driver type in 'Table 8-3 Supported Database Specifiers'
    Thin: "jdbc:oracle:thin:scott/tiger@//myhost:1521/myservicename"
    See that table 8-3 for the different OCI options.

Maybe you are looking for