|
Because Internet computing is pervasive, it's inevitable there will be web
sites, web services and applications that require databases to maintain
persistent information. Privacy, confidentiality and security are often
a requirement, even when we connect a database to the Internet. DBMS
vendors such as IBM, Microsoft, Oracle, and Sybase have included
security features in their database products for more than a decade. No
database or server is immune, however, from attacks and other security
problems. Quite simply, the Internet has become a hacker's playground so
it's necessary to be aware of the threats.
Worms, viruses, trojans and malware can affect servers and the threats are not confined to a single operating system.
Sponsor Links
 Fast, reliable data access for ODBC, JDBC, ADO.NET and XML
Single Signon with SAML
As the computing community identifies new security threats and
solutions, we'll explore them here. We'll examine security issues that
concern the Internet and web services communities, database
administrators, developers, CIOs, CTOs, system architects, security
administrators, system managers and network administrators.
Alerts, Vulnerabilities, News
SQL Injection Vulnerability with JBoss Seam
Secunia has issued an advisory for JBoss Seam users that warns of an SQL injection vulnerability. The org.jboss.seam.framework.Query class has a flaw that enables a malicious user to exploit the "order" parameter of the getRenderedEjbql() method. Input to the
parameter is not properly sanitized to prevent SQL injection attacks. The vulnerability affects JBoss Seam versions before 2.0.0 GA.
Authentication Vulnerability Affects DB2 9.1
A security vulnerability in IBM DB2 9.1 can be exploited to trigger memory corruption or launch a denial of service attack. IBM has released
DB2 9.1 fix pack 3a that corrects the problem.
RSA-Based Security Flaws Undermine Database, E-Mail and Networking Infrastructure
Researchers have recently uncovered security vulnerabilities in the OpenSSL toolkit deployed on 60% of the web servers on the Internet. OpenSSL vulnerabilities
include buffer overruns, denial-of-security attacks, forging of digital certificates and compromising of confidential information. In this article, Ken North discusses
OpenSSL vulnerabilities and the effect on digital certificates used for authentication and secure communications.
He also discusses research about an RSA attack based on Simple Branch Prediction Analysis.
MySQL Denial of Service Vulnerability with InnoDB Engine
MySQL installations using the InnoDB engine are vulnerable to denial of service (DoS)
attacks by malicious users. The problem is the convert_search_mode_to_innobase
function in ha_innodb.cc. It can trigger an assertion error by the InnoDB engine that
can be used to crash the server with specially crafted CONTAINS statements.
Exploiting the vulnerability requires ALTER privileges. The vulnerability affects MySQL
4.1.20, 5.0.44 and 5.1.17. The InnoDB repository includes fixes for MySQL 5.x.
IBM DB2 Denial of Service Vulnerabilities Found
Secunia reports IBM DB2 version 8.x is vulnerable to two exploits that can be used to launch denial of service attacks. One threat is from
unspecified errors during CONNECT/ATTACH processing. A second is related to an unspecified error after CONNECT processing.
MySQL Database Creation Security Vulnerabilities
FrSIRT reports to MySQL vulnerabilities can be exploited by malicious users to bypass security
restrictions. The first problem is due to an error when creating MySQL databases. On case-sensitive file systems, a user can create
arbitrary databases using case variants of a database name for which he has permissions. A second threat comes from a malicious user with EXECUTE privileges.
Security Companies Report Surge of SQL Injection Attacks Against Financial Institutions
Atlanta-based security companies SecureWorks, SPI Dynamics and Internet Security Systems, Inc. report a dramatic rise in the incidence of
SQL injection attacks against databases. SecureWorks reported 120,000 attacks in May 2006 against its 1,000
bank and credit union customers. That represents a 300% increase since March. The attackers, primarily based in Russia, increasingly extort banks and credit unions.
MySQL and PostgreSQL Cooperate to Fix SQL Injection Problem
SQL injection problems plague the Internet and the financial community. Seeking solutions prompted a recent collaboration by developers of MySQL and PostgreSQL.
Fix for PostgreSQL SQL Injection Vulnerability Can Break Applications
A new security patch that's critical for web-facing databases fixes a PostgreSQL SQL injection
vulnerability. The patch can break some applications, but it's particularly important for applications using a Far Eastern multi-byte encoding.
MySQL Security Vulnerabilities Exposed
A Debian security advisory reported several MySQL security problems. The Common Vulnerabilities and
Exposures Project identified four MySQL vulnerabilities. The vulnerabilities enable users to bypass logging, read memory, obtain sensitive information
and execute arbitrary code.
SQL Injection Vulnerability in Oracle PL/SQL Export Extensions
US-CERT reports an Oracle PL/SQL Export Extensions vulnerability may allow an attacker to modify privileged information. The
DBMS_EXPORT_EXTENSION package does not sanitize the user input to the ODCIIndexGetMetadata method,
which enables an attacker to execute SQL statements with SYSDBA privilege.
Sybase iAnywhere Adaptive Server Anywhere Attains EAL3 Security Certification
Sybase iAnywhere announced the Adaptive Server Anywhere® database within SQL Anywhere® 9.0.1 and 9.0.2 exceeds requirements for
Evaluation Assurance Level 3 (EAL3) certification. EAL3
certification means the database complies with the Common Criteria certification standard of a joint activity of the U.S. National Institute of Standards and
Technology (NIST) and the National Security Agency (NSA).
Adobe Announces Fix for Dreamweaver SQL Injection Vulnerability
Adobe announced a fix for a Macromedia Dreamweaver SQL injection vulnerability affecting Windows and Macintosh users. The vulnerability exists for
Dreamweaver MX 2004, Dreamweaver 8.0.2 and earlier versions, affecting the ColdFusion, PHP MySQL, ASP, ASP.NET and JSP server models.
Weak Oracle Password Hashing Vulnerability
A report from SANS Institute titled "An Assessment of the Oracle
Password Hashing Algorithm" reports serious weaknesses in how Oracle
implements passwords. By using SQL injection or
sniffing unencrypted TNS traffic, attackers can obtain the password
hashes for an Oracle database. Once they have determined the hash values
for a user name, they can launch dictionary attacks or recover user
names and passwords. An attacker can also use a rainbow table with the
Oracle hashing algorithm and a fixed user name such as SYSTEM.
Eight New SQL Injection Alerts
Secunia Research and the French Security Incident Response
Team issued multiple reports of software at risk from SQL injection
techniques. Vulnerabilities were identified recently in paFAQ, Fortibus
CMS, Liberium Help Desk, ezUserManager, X-Cart Gold, NewLife Blogger,
NPDS and ZonGG.
BirdBlog SQL Injection
Vulnerability
An SQL injection exploit is possible with BirdBlog by using user id and
password parameters in a PHP script (userid and userpw
in admincore.php). The exploit is possible by disabling magic_quotes_gpc.
Buffer
Overrun in Microsoft Data Access Components (MDAC)
An attack using a specially-crafted message packet can cause a buffer
overflow in one of the MDAC components. The buffer
overflow can lead to privilege escalation that will enable the attacker
to run arbitrary code. Affects MDAC 2.5-2.8.
H.323
Filter Vulnerability in Microsoft Internet Security and Acceleration
Server 2000
A vulnerability in the H.323 filter for Microsoft Internet Security and
Acceleration Server 2000 could allow an attacker to overflow a buffer in
the Microsoft Firewall Service. An attacker could exploit this
vulnerability to run code in the security context of the Microsoft
Firewall Service.
PHP-Nuke 7.1.0 SQL Injection Vulnerability
In PHP-Nuke versions 6x-7.1, there is an
SQL injection flaw in the implementation of public messages (broadcast
messages). If exploited, someone could steal passwords and gain control
of the database and web site.
SQL Injection Possible By
Exploiting dream4 Koobi Parameter
An SQL injection vulnerability has been reported for version 4.2.3 of
dream4 Koobi. The area parameter in index.php
opens the door for SQL injection if it is not properly sanitized.
Security-Related
Web Sites
Adware
This web site maintains a list of adware, spyware, trojans and other threats.
CERT
The CERT Coordination Center (CERT/CC) is a center of security expertise
operated by Carnegie Mellon University.
CHECK
CHECK is operated by CESG, a center of security expertise of the UK
government. CHECK provides IT security health checks to government.
OpenSSL
OpenSSL offers an open source implementation of the Secure Sockets
Layers.
OptOut
This is a source of anti-spyware information from Steve Gibson of Gibson Research Corporation.
Oracle Security Alerts
This page will help you stay current on security threats for Oracle users.
 
PacketStorm
PacketStorm is a web site dedicated to security. It has a variety of freely-downloadable tools.
Satellite Hacking
Howard Fuhs presents seminars about IT security. His lectures cover eavesdropping on microwave and wireless communications, corporate espionage, countermeasures, social engineering policies, and Internet security policies.
SQL Security.com
The focus of this site is Microsoft SQL Server security. It includes a web-based scanning tool for auditing SQL Server. The site also includes a Lockdown script administrators can use for securing servers.
Security Tools
@stake WebProxy
WebProxy sits between the browser and web applications to let developers check how applications respond to
SQL injection, buffer overflow, cookie manipulation and other attacks. Available for Windows, Solaris and Linux.
Ad Aware
This is a tool for eliminating tracking software and spyware from your system.
Anti-Sniff for Windows
This is a trial version of one of the best-known anti-sniffers.
AppDetective for Microsoft SQL Server
This is network-based assessment tool that checks for security problems such as
mis-configuration, weak passwords, holes that permits denial-of-service attacks, and other vulnerabilities.
ARPWatch
ARPWatch keeps track of Ethernet/IP address pairings.
Encrypted File Transfer protocol
The Encrypted File Transfer Protocol augments RFC 959 FTP with Encryption.
EFTP uses a combination of Public Key encryption and Symmetric Key encryption.
Flowscan Utilities
Flowscan is a tool for graphing the IP usage of a network. These
utilities report the top users of bandwidth.
NEPED
Anti-Sniffer
neped scans subnets to detect promiscuous computers running sniffers or similar
applications.
PivX
Solutions
PivX researchers have exposed vulnerabilities in Internet Explorer.
Their Qwik-Fix tool is a free download.
Snort
Snort is an open source intrusion detection system. Information Security magazine chose it as the best open
source product of 2003.
SpywareBlaster
This tool helps protect against malware ActiveX controls.
Trinux Security Toolkit for Linux
Trinux is a ramdisk-based Linux distribution that boots from a single floppy or
CD-ROM. It packages an HTTP/FTP server and a FAT/NTFS/ISO filesystem. It
contains a suite of tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection,
network monitoring, intrusion detection, and more.
Webcam Secure FTP Upload
This tool was developed for use with a webcam but it's a secure version
of ftp. It's purpose is to prevent someone from sniffing ftp passwords. It's a Java solution that uses SSL.
Articles, Reports and Papers about Security
Advanced SQL Injection in SQL Server Applications
Chris Anley
This white paper discusses SQL injection techniques used with SQL Server, Active Server Pages
(ASP) and Internet Information Server (IIS). It's 25 pages of required reading for anyone
responsible for SQL Server databases.
An Experimental Sniffer Detector: SnifferWall
H. AbdelallahElhadj, H. M. Khelalfa, H. M. Kortebi (CERIST)
This paper presents an overview of intrusion detection systems and sniffer detectors.
The authors describe SnifferWall, which helps network administrators detect sniffers running on Ethernets.
Buffer Overflow in the XML Database of Oracle9i Database Server
Yet another instance of inadequate bounds checking creating a
vulnerability.
Evading Passive Sniffer Detection With IDS Sensors
Bryan Brandt (SANS Institute)
Explains packet sniffers and anti-sniffers. The author explain latency tests, ARP tests, and "receive-only" connections.
Hack-proofing DB2
Aaron Newman
This is a 47-slide presentation for DB2 users. It covers encryption, authentication, SQL injection, buffer overflow, and denial of service attacks.
IBM DB2 Multiple Local Security Issues
IBM DB2 UDB version 8.1 ((UNIX) has several vulnerabilities.
Malware Under Linux
Linux is not immune from attacks.
Multiple Vulnerabilities in
Sybase Adaptive Server Anywhere 9.0
This is an NGSSoftware advisory about vulnerabilities in the Windows 2000/XP
versions of Adaptive Server Anywhere 9.0.
Oracle SSL Update for CERT CA200326 and older SSL issues
This alert explains a critical vulnerability in OpenSSL.
Rest Secure
Chip Andrews
This article from SQL Server magazine explains how to program for SQL Server with security in mind.
Sniffers and Detection
Sumit Dhar
Good article that explains the principles of detecting sniffers on an Ethernet network.
SQL Injection
Kevin Spett (SPI Labs)
This excellent 25-page white paper explains various attacks. It's a
good departure point if you're trying to understand SQL injection
problems.
SQL Injection and Oracle
Pete Finnegan
Process injection and SQL injection attacks are serious threats to
servers and databases. SQL injection involves adding SQL to an SQL query so it's
execution by a script (e.g., perl, PHP) opens a hole an attacker can
exploit. This article is part of a series that discusses attacks against Oracle.
Sybase Privilege
Escalation
Sybase Adaptive Server 12 and 12.5 have several security holes that
enable non-privileged users to gain privileges. Passing an argument of more than 45 characters to
xp_freedll causes a buffer overflow.
Understanding Database Sniffers
Ken North
This article from Network Computing explains techniques for monitoring client-server communications with database servers.
The Curse and Blessings of Dynamic SQL
Erland Sommarskog
This article discusses the use of dynamic SQL in Microsoft SQL Server stored procedures. He discusses cursors, permissions,
sp_executesql, and coding mistakes that can open your server to SQL injection attacks.
|
