Because Internet computing is pervasive, it's inevitable there will be web sites, web services and applications that require databases to maintain persistent information. Privacy, confidentiality and security are often a requirement, even when we connect a database to the Internet. DBMS vendors such as IBM, Microsoft, Oracle, and Sybase have included security features in their database products for more than a decade. No database or server is immune, however, from attacks and other security problems. Quite simply, the Internet has become a hacker's playground so it's necessary to be aware of the threats.
Worms, viruses, trojans and malware can affect servers and the threats are not confined to a single operating system.
Fast, reliable data access for ODBC, JDBC, ADO.NET and XML
As the computing community identifies new security threats and solutions, we'll explore them here. We'll examine security issues that concern the Internet and web services communities, database administrators, developers, CIOs, CTOs, system architects, security administrators, system managers and network administrators.
Alerts, Vulnerabilities, News
Authentication Vulnerability Affects DB2 9.1
A security vulnerability in IBM DB2 9.1 can be exploited to trigger memory corruption or launch a denial of service attack. IBM has released DB2 9.1 fix pack 3a that corrects the problem.
RSA-Based Security Flaws Undermine Database, E-Mail and Networking Infrastructure
Researchers have recently uncovered security vulnerabilities in the OpenSSL toolkit deployed on 60% of the web servers on the Internet. OpenSSL vulnerabilities include buffer overruns, denial-of-security attacks, forging of digital certificates and compromising of confidential information. In this article, Ken North discusses OpenSSL vulnerabilities and the effect on digital certificates used for authentication and secure communications. He also discusses research about an RSA attack based on Simple Branch Prediction Analysis.
MySQL Denial of Service Vulnerability with InnoDB Engine
MySQL installations using the InnoDB engine are vulnerable to denial of service (DoS) attacks by malicious users. The problem is the convert_search_mode_to_innobase function in ha_innodb.cc. It can trigger an assertion error by the InnoDB engine that can be used to crash the server with specially crafted CONTAINS statements. Exploiting the vulnerability requires ALTER privileges. The vulnerability affects MySQL 4.1.20, 5.0.44 and 5.1.17. The InnoDB repository includes fixes for MySQL 5.x.
IBM DB2 Denial of Service Vulnerabilities Found
Secunia reports IBM DB2 version 8.x is vulnerable to two exploits that can be used to launch denial of service attacks. One threat is from unspecified errors during CONNECT/ATTACH processing. A second is related to an unspecified error after CONNECT processing.
MySQL Database Creation Security Vulnerabilities
FrSIRT reports to MySQL vulnerabilities can be exploited by malicious users to bypass security restrictions. The first problem is due to an error when creating MySQL databases. On case-sensitive file systems, a user can create arbitrary databases using case variants of a database name for which he has permissions. A second threat comes from a malicious user with EXECUTE privileges.
Security Companies Report Surge of SQL Injection Attacks Against Financial Institutions
Atlanta-based security companies SecureWorks, SPI Dynamics and Internet Security Systems, Inc. report a dramatic rise in the incidence of SQL injection attacks against databases. SecureWorks reported 120,000 attacks in May 2006 against its 1,000 bank and credit union customers. That represents a 300% increase since March. The attackers, primarily based in Russia, increasingly extort banks and credit unions.
MySQL and PostgreSQL Cooperate to Fix SQL Injection Problem
SQL injection problems plague the Internet and the financial community. Seeking solutions prompted a recent collaboration by developers of MySQL and PostgreSQL.
Fix for PostgreSQL SQL Injection Vulnerability Can Break Applications
A new security patch that's critical for web-facing databases fixes a PostgreSQL SQL injection vulnerability. The patch can break some applications, but it's particularly important for applications using a Far Eastern multi-byte encoding.
MySQL Security Vulnerabilities Exposed
A Debian security advisory reported several MySQL security problems. The Common Vulnerabilities and Exposures Project identified four MySQL vulnerabilities. The vulnerabilities enable users to bypass logging, read memory, obtain sensitive information and execute arbitrary code.
SQL Injection Vulnerability in Oracle PL/SQL Export Extensions
US-CERT reports an Oracle PL/SQL Export Extensions vulnerability may allow an attacker to modify privileged information. The DBMS_EXPORT_EXTENSION package does not sanitize the user input to the ODCIIndexGetMetadata method, which enables an attacker to execute SQL statements with SYSDBA privilege.
Sybase iAnywhere Adaptive Server Anywhere Attains EAL3 Security Certification
Sybase iAnywhere announced the Adaptive Server Anywhere® database within SQL Anywhere® 9.0.1 and 9.0.2 exceeds requirements for Evaluation Assurance Level 3 (EAL3) certification. EAL3 certification means the database complies with the Common Criteria certification standard of a joint activity of the U.S. National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
Adobe Announces Fix for Dreamweaver SQL Injection Vulnerability
Adobe announced a fix for a Macromedia Dreamweaver SQL injection vulnerability affecting Windows and Macintosh users. The vulnerability exists for Dreamweaver MX 2004, Dreamweaver 8.0.2 and earlier versions, affecting the ColdFusion, PHP MySQL, ASP, ASP.NET and JSP server models.
Weak Oracle Password Hashing Vulnerability
A report from SANS Institute titled "An Assessment of the Oracle Password Hashing Algorithm" reports serious weaknesses in how Oracle implements passwords. By using SQL injection or , attackers can obtain the password hashes for an Oracle database. Once they have determined the hash values for a user name, they can launch dictionary attacks or recover user names and passwords. An attacker can also use a rainbow table with the Oracle hashing algorithm and a fixed user name such as SYSTEM.
Eight New SQL Injection Alerts
Secunia Research and the French Security Incident Response Team issued multiple reports of software at risk from SQL injection techniques. Vulnerabilities were identified recently in paFAQ, Fortibus CMS, Liberium Help Desk, ezUserManager, X-Cart Gold, NewLife Blogger, NPDS and ZonGG.
BirdBlog SQL Injection Vulnerability
An SQL injection exploit is possible with BirdBlog by using user id and password parameters in a PHP script (userid and userpw in admincore.php). The exploit is possible by disabling magic_quotes_gpc.
Buffer Overrun in Microsoft Data Access Components (MDAC)
An attack using a specially-crafted message packet can cause a buffer overflow in one of the MDAC components. The buffer overflow can lead to privilege escalation that will enable the attacker to run arbitrary code. Affects MDAC 2.5-2.8.
H.323 Filter Vulnerability in Microsoft Internet Security and Acceleration Server 2000
A vulnerability in the H.323 filter for Microsoft Internet Security and Acceleration Server 2000 could allow an attacker to overflow a buffer in the Microsoft Firewall Service. An attacker could exploit this vulnerability to run code in the security context of the Microsoft Firewall Service.
PHP-Nuke 7.1.0 SQL Injection Vulnerability
In PHP-Nuke versions 6x-7.1, there is an SQL injection flaw in the implementation of public messages (broadcast messages). If exploited, someone could steal passwords and gain control of the database and web site.
SQL Injection Possible By Exploiting dream4 Koobi Parameter
An SQL injection vulnerability has been reported for version 4.2.3 of dream4 Koobi. The area parameter in index.php opens the door for SQL injection if it is not properly sanitized.
Security-Related Web Sites
This web site maintains a list of adware, spyware, trojans and other threats.
The CERT Coordination Center (CERT/CC) is a center of security expertise operated by Carnegie Mellon University.
CHECK is operated by CESG, a center of security expertise of the UK government. CHECK provides IT security health checks to government.
OpenSSL offers an open source implementation of the Secure Sockets Layers.
This is a source of anti-spyware information from Steve Gibson of Gibson Research Corporation.
Oracle Security Alerts
This page will help you stay current on security threats for Oracle users.
PacketStorm is a web site dedicated to security. It has a variety of freely-downloadable tools.
Howard Fuhs presents seminars about IT security. His lectures cover eavesdropping on microwave and wireless communications, corporate espionage, countermeasures, social engineering policies, and Internet security policies.
The focus of this site is Microsoft SQL Server security. It includes a web-based scanning tool for auditing SQL Server. The site also includes a Lockdown script administrators can use for securing servers.
WebProxy sits between the browser and web applications to let developers check how applications respond to SQL injection, buffer overflow, cookie manipulation and other attacks. Available for Windows, Solaris and Linux.
This is a tool for eliminating tracking software and spyware from your system.
Anti-Sniff for Windows
This is a trial version of one of the best-known anti-sniffers.
AppDetective for Microsoft SQL Server
This is network-based assessment tool that checks for security problems such as mis-configuration, weak passwords, holes that permits denial-of-service attacks, and other vulnerabilities.
ARPWatch keeps track of Ethernet/IP address pairings.
The Encrypted File Transfer Protocol augments RFC 959 FTP with Encryption. EFTP uses a combination of Public Key encryption and Symmetric Key encryption.
Flowscan is a tool for graphing the IP usage of a network. These utilities report the top users of bandwidth.
neped scans subnets to detect promiscuous computers running sniffers or similar applications.
PivX researchers have exposed vulnerabilities in Internet Explorer. Their Qwik-Fix tool is a free download.
Snort is an open source intrusion detection system. Information Security magazine chose it as the best open source product of 2003.
This tool helps protect against malware ActiveX controls.
Trinux Security Toolkit for Linux
Trinux is a ramdisk-based Linux distribution that boots from a single floppy or CD-ROM. It packages an HTTP/FTP server and a FAT/NTFS/ISO filesystem. It contains a suite of tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, network monitoring, intrusion detection, and more.
This tool was developed for use with a webcam but it's a secure version of ftp. It's purpose is to prevent someone from sniffing ftp passwords. It's a Java solution that uses SSL.
Articles, Reports and Papers about Security
Advanced SQL Injection in SQL Server Applications
This white paper discusses SQL injection techniques used with SQL Server, Active Server Pages (ASP) and Internet Information Server (IIS). It's 25 pages of required reading for anyone responsible for SQL Server databases.
An Experimental Sniffer Detector: SnifferWall
H. AbdelallahElhadj, H. M. Khelalfa, H. M. Kortebi (CERIST)
This paper presents an overview of intrusion detection systems and sniffer detectors. The authors describe SnifferWall, which helps network administrators detect sniffers running on Ethernets.
Buffer Overflow in the XML Database of Oracle9i Database Server
Yet another instance of inadequate bounds checking creating a vulnerability.
Evading Passive Sniffer Detection With IDS Sensors
Bryan Brandt (SANS Institute)
Explains packet sniffers and anti-sniffers. The author explain latency tests, ARP tests, and "receive-only" connections.
This is a 47-slide presentation for DB2 users. It covers encryption, authentication, SQL injection, buffer overflow, and denial of service attacks.
IBM DB2 Multiple Local Security Issues
IBM DB2 UDB version 8.1 ((UNIX) has several vulnerabilities.
Malware Under Linux
Linux is not immune from attacks.
Multiple Vulnerabilities in Sybase Adaptive Server Anywhere 9.0
This is an NGSSoftware advisory about vulnerabilities in the Windows 2000/XP versions of Adaptive Server Anywhere 9.0.
Oracle SSL Update for CERT CA200326 and older SSL issues
This alert explains a critical vulnerability in OpenSSL.
This article from SQL Server magazine explains how to program for SQL Server with security in mind.
Sniffers and Detection
Good article that explains the principles of detecting sniffers on an Ethernet network.
Kevin Spett (SPI Labs)
This excellent 25-page white paper explains various attacks. It's a good departure point if you're trying to understand SQL injection problems.
SQL Injection and Oracle
Process injection and SQL injection attacks are serious threats to servers and databases. SQL injection involves adding SQL to an SQL query so it's execution by a script (e.g., perl, PHP) opens a hole an attacker can exploit. This article is part of a series that discusses attacks against Oracle.
Sybase Privilege Escalation
Sybase Adaptive Server 12 and 12.5 have several security holes that enable non-privileged users to gain privileges. Passing an argument of more than 45 characters to xp_freedll causes a buffer overflow.
This article from Network Computing explains techniques for monitoring client-server communications with database servers.
This article discusses the use of dynamic SQL in Microsoft SQL Server stored procedures. He discusses cursors, permissions, sp_executesql, and coding mistakes that can open your server to SQL injection attacks.