Using Reverse Proxies To Secure Databases
This study provides a unique technique to protect against SQL Injection. However, it is not a full proof solution and maintaining/updating queries using this method becomes cumbersome and difficult to manage. Generic web application firewall rules do not provide protection against SQL injection as this study supports. You need to find the root cause and either programmatically fix the code or you need custom rules to protect against the vulnerability. NTOSpider can help you find vulnerabilities and NTODefend can help you generate rules as a mitigation strategy until code can be updated –
http://www.darkreading.com/database-security/167901020/security/news/232900232/using-reverse-proxies-to-secure-databases.html
Oracle Enterprise Manager – 2 SQLi Vulnerabilities
2 SQLi vulns were closed with April’s Critical Patch Update. Both are remotely exploitable but considered medium risk. http://cxsecurity.com/issue/WLB-2012040163 affected the Search page and was 8 months from vendor notification to patch release. Whereas, http://cxsecurity.com/issue/WLB-2012040162 which affected the Compare Wizard first Config page was over 2 years between notification and patch. As much as we talk about SQLi, that vector doesn’t go away.
Leave a Reply