IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oracle]

an American computer technology company based in California. Oracle specialize in computer hardware and enterprise software products including it's own brand RDBMS, along with MySQL and Java as a result of purchasing Sun Microsystems.

Oracle Corporation is an American computer technology company based in California. Oracle specialize in computer hardware and enterprise software products including it's own brand RDBMS, along with MySQL and Java as a result of purchasing Sun Microsystems.

Related reading

63 questions
1
vote
1 answer

Understanding Oracle 11g password hashing algorithms

I'm trying to understand the Oracle 11g password hashing algorithm, I found this link explaining how it is done, however, I have some confusion on how they say it's done. According to that link it goes like this: Random 10 byte salt string is…
13aal
  • 265
  • 1
  • 2
  • 8
1
vote
2 answers

Why Oracle says following deserialization vulnerabilities are related to HTTP protocol?

According to Oracle website, following deserialization vulnerabilities are related to HTTP protocol. CVE-2015-7501, CVE-2016-5535, CVE-2016-3586, CVE-2016-3510, etc. But I do not understand why Weblogic says it is related to HTTP protocol. Unless…
Manjula
  • 176
  • 6
1
vote
0 answers

Does using Oracle TDE guarantees compliance to HIPAA, for persisting sensitive data?

Persisting sensitive customer pharma data is becoming more challenging with stricter HIPAA compliance guidelines, wondering if TDE solves it entirely or are there any gaps that a developer/dba should be aware of.
bluefalcon
  • 143
  • 3
1
vote
1 answer

OpenSSL oracle padding vulnerability (CVE-2016-2107)

Hi We have a Windows 2008R2 SP1 server system running Oacle with OpenSSL. Upon doing a security scan we have found out that we are getting: OpenSSL oracle padding vulnerability(CVE-2016-2107) vulnerability. Threat: A MITM attacker can use a padding…
gsb005
  • 111
  • 2
  • 4
  • 7
1
vote
1 answer

Executing XSS on .jsp page by escaping string and with raw bytecode?

Assume that a java (.jsp) page takes a from input as a string, the server does nothing to sanitize it, and then echoes it back to the user. How would an attacker escape the string to execute arbitrary commands? Obviously they could throw JavaScript…
Verbal Kint
  • 737
  • 1
  • 6
  • 20
1
vote
1 answer

How do I know if a Nessus Scan against a Oracle instance has been sucessful?

I have a Nessus Policy with all the Oracle plugins activated and the rest of the plugins disabled. I ran the scan against a fresh installation but I get nothing but the Oracle TNS Listener Remote Poisoning vulnerability. Is there any plugin that…
raziel
  • 71
  • 9
1
vote
0 answers

Oracle PL/SQL SQL Injection Test from Unicode to Windows-1252

I have a DB using windows-1252 character encoding and dynamic SQL that does simple single quote escaping like this... l_str := REPLACE(TRIM(someUserInput),'''',''''''); Because the DB is windows-1252 when the notorious Unicode Character 'MODIFIER…
gfrobenius
  • 111
  • 5
0
votes
1 answer

Number of certificates in a PKCS#12 archive

Is there command to find the number of certificates in a PKCS#12 archive? I have the .pfx file sent by a client but need to find out how many certificates it contains. I don't need any of the corresponding private keys. Oracle Wallet Manager could…
Fadel
  • 21
  • 1
  • 5
0
votes
1 answer

What are the reasons behind Oracle password restrictions?

Oracle presents a fairly restrictive password policy: Passwords can be from 1 to 30 characters. The first character in an Oracle password must be a letter. Only letters, numbers, and the symbols “#”, “_” and “$” are acceptable in a…
Cybergibbons
  • 1,191
  • 2
  • 8
  • 21
0
votes
1 answer

oracle weblogic vulnerability

I searched for Oracle Web logic vulnerabilities and found this vulnerability: Oracle WebLogic Server Cross-Site Scripting and Manipulation of Data Vulnerabilities (http://secunia.com/community/advisories/51501) I want some sample attack scenarios to…
lonelyDeveloper
  • 51
  • 4
0
votes
0 answers

Is it a database security hazard to let multiple Oracle databases UTL_FILE the same filesystem?

I'm looking at a scenario in which it would be convenient to let 3 different cloud-rented Linux boxes (server A is the "scheduler control server", server B runs "database 1" on Oracle, & server C runs "database 2" on Oracle) read and write the same…
k..
  • 101
  • 1
0
votes
1 answer

Is my Java code still vulnerable to SQL injection?

We have a Java web application that was vulnerable to blind SQL injection attacks. Our developers fixed the code by using the replaceAll() function to convert single quotes to two single quotes. I am trying to understand whether the following lines…
b.k
  • 3
  • 2
0
votes
2 answers

TDE - Encrypting different rows with different keys

My question is in general but related to Oracle DB. I have a single table with different companies as rows. Each row has company id and company registration number. I would like to encrypt company registraiton number, but i want to encrypt each…
ZEE
  • 157
  • 3
0
votes
1 answer

Verifying Encryption at Rest with Oracle 11g

I have a big giant database that is basically human resources related. As such, it contains all the PII in the world (SSN, medical related stuff, bank payment info, etc). If you do not request PII access permissions on the database, PII fields…
Dylan
  • 101
  • 3
0
votes
0 answers

CSRF vulnerability in Oracle ADF web application

I am pentesting Oracle ADF web application. One of the requests to delete some content consists of parameters like _adf.ctrl-state and javax.faces.ViewState, which seem to be random numbers, active only during one session. I'm not sure if this…
user187205
  • 1,163
  • 3
  • 15
  • 24
1 2 3
4
5