Oct 1, 2013 ... BaartIya laoK a tqaa laoK aprIxaa ivaBaaga. INDIAN AUDIT & ACCOUNTS
DEPARTMENT. P`aQaana mahalaoKakar ka kayaa-l aya (laoKa va ...
Jan 1, 2008 - Of course, one cannot avoid what one cannot define â and so we start with the ... This paper was prepare
Jan 1, 2008 - Network website. .... And the program is free to use a different layout. ...... with double quotes but als
Jan 1, 2008 - Counter-example 4: SQL syntax template with a questionable intent . . . . . 18 ..... from the source code
Assuming though the attacker only has the CREATE SESSION privilege they're ... seconds (which becomes very useful in web
Advanced SQL Injection In SQL Server. Applications. Chris Anley [chris@
ngssoftware.com]. An NGSSoftware Insight Security Research (NISR) Publication
.
Sep 1, 2003 ... Oracle Forms Migrating Forms Applications from Forms 6i, 10g (9.0.4) ... Oracle is
a registered trademark, and JInitiator, Oracle SQL/Services, ...... Oracle Forms
Developer Online Help, available from the Help menu in Oracle.
Oracle Forms Migrating Forms Applications From Forms 6i 10g (10.1.2.0.2) for
Windows and UNIX. B15572-01 ... This document is not warranted to be error-
free. Except as may be .... Components Removed from the Developer Product
Suite . ..... are doc
SQL Injection: Oracle versus Other Databases . ..... It is not intended to be a
tutorial on executing SQL attacks and does not provide instructions on executing
...
Download Best Book Oracle JDeveloper 10g for Forms & PL/SQL Developers: A Guide to Web Development with Oracle ADF (
to use Oracle Forms 6i, 9i, 10g and 11g to build applications that are accessible
.... 7. The same form run with lookAndFeel=generic on the Microsoft Windows
operating system: Figure 2: the ... default function mappings may conflict. TABLE
1: ...
Laboratory for Computer Security Education. 1. SQL Injection ... As the results, we
created a version of phpBB that is vulnerable to the SQL-Injection attack.
We consider such classifications as OWASP [2],. Markov taxonomy [3] ..... http://www.kaspersky.ru/downloads/pdf/technology_auto_prote ction_from_exploit.pdf ...
the web programmer needed not to waste the time in writing codes on the website. ... Mostly, the possibility that ASP would be successfully attacked was higher ...
of a SQL query by an attacker via the input data from the client to the application. This injection in the SQL query ..... MySQL, data is stored in the form of rows and columns in tables .... International Advance Computing Conference (IACC.
a computer and Linux as a blocker between the website and the user (placed on ... For that reason, the majority of organizations presently possess its own website so that the users can make use of the website with more convenient services.
Mar 15, 2009 ... Anti-Virus is smarter (removes popular hacker tools, and in some cases ...... http://
pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/.
1. Oracle® Forms and Reports Developer and Oracle Forms and. Reports
Services 6i (Patch 19). Release Notes. Release 6.0.8.28 for Microsoft Windows
and ...
This document includes notes and considerations relevant to Oracle Forms ...
example, Oracle Forms Builder and Oracle Graphics Builder) have a 6.0.8
version.
5 • Forms6i Patch 18 Installation Note Co-existence in the same $ORACLE_HOME with Previous Releases Oracle Developer 1.6.1 and Oracle Forms Developer 6i can co ...
Developer 6i with Oracle Applications 11i" before reading these Forms ... In this
release of Oracle Forms Developer 6i, most of the major components (for.
This document notes the differences between Oracle Forms Developer and the ...
The Oracle Forms Server is included on the general Oracle Forms Developer.
ORACLE SQL DEVELOPER 2.1. KEY FEATURES AND BENEFITS. FEATURES.
• Browse, edit, create database objects using a Graphical. User Interface.
Browse, edit, create database objects using a Graphical User Interface. • Create
and run SQL scripts. • Edit and debug PL/SQL; build and run. PL/SQL unit tests.
Apr 15, 2005 ... All Oracle Forms applications are vulnerable against SQL Injection by ... About
Oracle Forms: Oracle Forms 10g is Oracle's award winning Web ... a detailed
error message by selecting the “Display Error” in the “Help” menu ...
SQL Injection in Oracle Forms V1.01 Summary:
All Oracle Forms applications are vulnerable against SQL Injection by default. Oracle Applications >=11.5.9 is not affected due to the default setting value “FORMSxx_RESTRICT_ENTER_QUERY = TRUE”. (VU#718548)
About Oracle Forms: Oracle Forms 10g is Oracle's award winning Web Rapid Application Development tool, part of the Oracle Developer Suite 10g. It is a highly productive, end-to-end, PL/SQL based, development environment for building enterprise-class, database centric Internet applications. Oracle Application Server 10g provides out-of-the-box optimized Web deployment platform for Oracle Forms 10g. Oracle itself is using Oracle Forms for Oracle Applications.
Affected products:
All versions of Oracle Forms (3.0-10g, C/S and Web), Oracle Clinical, Oracle Developer Suite
Fix:
Set the undocumented environment variable FORMSxx_RESTRICT_ENTER_QUERY=true (FORMS60_RESTRICT_ENTER_QUERY for Forms 6.x, FORMS90_RESTRICT_ENTER_QUERY for Forms 9.x/10g) and restart the Forms server. This environment variable disables the possibility of using the query/where functionality. or only if really need Query/Where: Write a PRE_QUERY/ON-ERROR-trigger for EVERY input field and validate the entire input for EVERY Oracle Forms module (*.fmb)
SQL Injection in Oracle Forms V1.01 Background: There is an (ancient often forgotten) Oracle Forms feature called “Query/Where” which allows any user to modify existing SQL statements. This is a quite useful feature for power users but also dangerous because every forms user can execute any SQL statement. Short demonstration of SQL Injection 1. Start a Forms module and switch to the query mode and enter a colon (“:”) or ampersand (“&”)
2. An empty Query/Where windows pops up
3. Enter an SQL statement The following statement sends the result of the SQL statement “select username from all_users where rownum=1” to a foreign (or internal) web server. Keep in mind that utl_http.request accepts only one row of the results.
SQL Injection in Oracle Forms V1.01 The web server of the attacker now contains the result of the custom query: 192.168.2.200 - - [14/Feb/2005:10:42:20 +0100] "GET /SYS HTTP/1.1" 404 209
If your SQL statement is not correct like the following example
Oracle returns an error “FRM-40505: Oracle error: unable to perform query.”
You can obtain a detailed error message by selecting the “Display Error” in the “Help” menu
Impact: The impact of the SQL injection depends on the architecture of your Forms application. If the Oracle user used by the Forms application has DBA privileges (like Oracle Applications), EVERY user can select any data in the database. Never set the value FORMSxx_RESTRICT_ENTER_QUERY to FALSE in an existing Oracle Applications environment because every user can execute ANY statement and see ANY data. If your Forms application implements an own user concept (e.g. own user table including passwords) it is possible that, other users could see the data (e.g. their accounts/passwords/…). In all other cases the Forms user can still execute PLSQL packages granted to public like utl_http.
Fix: There are two different possibilities to fix this problem: (a) Disable the Query/Where function by setting the environment variable (introduced with Forms 6.0.8.18.0) FORMSxx_RESTRICT_ENTER_QUERY=true (xx=60 for Forms 6.x, xx=90 for Forms 9.x/10g) and restart the Forms server. Check if Query/Where is now disabled.
(b)
Write a PRE_QUERY and an ON-ERROR trigger for EVERY input field to validate the user input. An example of this can be found in Metalink note 163305.1. Keep in mind that the solution suggested in this Metalink article is incomplete because the checks for $ and # are missing.
Metalink Document 163305.1: How to Disable the Query/Where in Forms Critical Patch Update - April 2005 Hardening Oracle Application Server 9i and 10g: http://www.red-database-security.com/wp/DOAG_2004_us.pdf Google Hacking of Oracle Technologies (e.g. Oracle Forms): http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf
7-oct-2003 Oracle secalert was informed 7-oct-2003 Bug confirmed 12-apr-2005 Advisory version 1.00 published 15-apr-2005 Advisory version 1.01: CERT vulnerability number added
Other Oracle security related documents: Hardening Oracle Application Server 9i Rel.1, 9i Rel.2 and 10g: http://www.red-database-security.com/wp/DOAG_2004_us.pdf Hardening Oracle DBA and Developer Workstations: http://www.red-database-security.com/wp/hardening_admin_pc_us.pdf Database Rootkits / Oracle Rootkits: http://www.red-database-security.com/wp/db_rootkits_us.pdf Google Hacking of Oracle Technologies: http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf
About Red-Database Security GmbH: Red-Database-Security GmbH is a specialist in Oracle Security. We are offerings Oracle security trainings, database and application server audits, penetration tests, oracle (security) architecture reviews and software security solutions against Oracle rootkits.
Contact: If you have questions or comments you could contact us via info at red-database-security.com
