TUCoPS :: Oracle :: tb10477.htm

Bypass Oracle Logon Trigger
Advisory: Bypass Oracle Logon Trigger
Advisory: Bypass Oracle Logon Trigger


Name 	            Bypass Oracle Logon Trigger (7826485) [DB05]
Systems Affected 	Oracle 8-10g Rel. 2
Severity 	        High Risk
Category 	        Bypass Security Feature Database Logon Trigger
Vendor URL 	 http://www.oracle.com/ 
Author 	            Alexander Kornbrust (ak at red-database-security.com)	 
Advisory 	        17 April 2007 (V 1.00)


Details
#######
It is possible to bypass the Oracle database logon trigger. This can cause severe security problems.

Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables. This can be bypassed on unpatched systems.

This advisory is available at
 

Patch Information
#################
Apply the patches for Oracle CPU April 2007.


History
#######
07-jun-2006 Oracle secalert was informed
08-jun-2006 Bug confirmed
17-apr-2007 Oracle published CPU April 2007 [DB05]
17-apr-2007 Advisory published


Additional Information
######################
An analysis of the Oracle CPU April 2007 is available here 
 

This document will be updated during the next few days and weeks with the latest information.


(c) 2007 by Red-Database-Security GmbH
--
http://www.red-database-security.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH