Forum OpenACS Q&A: Response to Bugtraq: Oracle security

Posted by Jon Griffin on
There are potentially several ACS security flaws, but I won't post them until I finish testing.And these aren't root exploits, just minor embarresment type of things

AOLserver is relativly secure, but I think there may be several ways to smash the stack (this was based on a really quick look at the source albeit 3.2 era).

Also, all this code needs to be checked for buffer overflows, especially tcl.

The biggest problem is multiple failure points (potentially). You have

  • the OS (probably the most audited part).
  • Aolserver (I haven't seen any audits)
  • By extension, tcl/tk ( again I haven't seen any audits, but it is probably more checked over than aolserver)
  • Postgres (I haven't looked at that at all)
  • Oracle (definitly has several exploits of varying degrees)
  • OpenACS (this was somewhat audited as ACS 3.something when a HUGE exploit was found by Petru and fixed later with new mechanisms making thier way into the 4.x code. i.e. bind vars, db api changes etc.)
Of all the above I feel most confident ( in order) of:
  • OS security (at least thier is a lot written on it and plenty of patches)
  • OpenACS
  • TCL
  • Aolserver
  • Oracle
As I haven't looked at PG source I can't say much about it.