In a security advisory, Alexander Kornbrust has reported on a common programming error in Oracle Reports that allows arbitrary database queries to be injected (SQL injections).

Reports that use what are called "lexical references" are affected. If the expression ¶mform=yes is added to the URL of such reports, a new browser window opens up where the SQL query can be changed easily. In the advisory, a number of examples of improper implementations are provided along with proposed solutions to work around this problem.

Kornbrust believes that such reports with lexical references are very popular because they are so powerful.

Also see:

• Security Advisory of Red Database Security

Forums

• heise Security
• Offline Update
• Desktop Security
• Network Security
• Human factors

Latest Posts

• "No missing updates found. Nothing to do!" reported on WinXP22.11.2008
• Re: Summertime prompts complete reload19.11.2008
• Summertime prompts complete reload18.11.2008