A recent security review by David Litchfield of Oracle's eBusiness Suite (fully patched) revealed it is vulnerable to a number of (unauthenticated) remote code execution flaws, a slew of SQL injection vulnerabilities and Cross Site Scripting bugs. Used by large corporations across the globe the question becomes how does one secure this product given its weaknesses. This talk will examine those weakness with demonstration exploits then look at how one can protect their systems against these attacks.
David Litchfield is recognized as one of the world's leading authorities ondatabase security. He is the author of the Oracle Hacker's Handbook, theDatabase Hacker's Handbook, SQL Server Security and is the co-author of theShellcoder's Handbook. With over 220 CVE-IDs attributed to David since 1999,and after 8 CERT advisories issued based upon his research (no - he didn'twrite SQL Slammer but he did find the flaw it exploited!), he is currentlyworking for Google as a security engineer.