Home

Application Defense Center

Application and Database Security Research

In-Depth Research, Timely Responsible Notifications

The nature of the IT security business requires us to remain one step ahead of malicious users. Our continual vigilance and timely dissemination of security information mitigates the damage from database and application threats and vulnerabilities. We at the Imperva Application Defense Center are intent on building the most advanced application and database security knowledge base in the world by discovering database vulnerabilities before they're exploited.

In order to bring you these published Security Advisories, we conduct in-depth research in our labs, utilize real-world experience, and leverage publicly available information. Each day, we strive to uncover new security attack and defense techniques and application, platform, and database vulnerabilities. When we find a database or application security issue, we work within industry guidelines and responsible ethics to notify the vendor and publish the Advisory. Our ultimate goal is to provide you with accurate, timely information so that you know the steps you need to take to secure your applications, databases, and protect confidential data.

Benefit to SecureSphere Customers

Imperva customers benefit from our research with updates to SecureSphere through automated ADC Security Updates as well as ADC Insight Services. With Imperva, you are protected against the latest security threats, often well ahead of patches released from application and database security vendors.

ADC Security Advisories

The following are currently published ADC Security Advisories. Periodically check this page to locate newly published Advisories.


Oracle DBMS – Access Control Bypass with Direct Path Export

This security advisory discusses an access control bypass vulnerability that was discovered by Imperva.

Oracle EBS – XSS Vulnerability

This security advisory discusses a cross-site scripting vulnerability in Oracle E-Business Suite that was discovered by Imperva and is addressed in Oracle’s July 2007 Critical Patch Update.

Web 2.0, AJAX and Client Security Logic

An illustration of the problems created by Web 2.0 development frameworks such as AJAX that place increasing emphasis on client-side browser code (JavaScript, etc.) as a mechanism for enforcing security logic.

DB2 RDBMS - Critical Denial of Service Vulnerability in Database Communication Protocol

Illustrates the need for the validation of database communication protocols in database security products.

DB2 DBMS - Critical Buffer Overrun Vulnerability

An illustration of the risk of depending on database vendor patches for database security.

Oracle DBMS - Critical Patch Update 04/18/06

This security advisory discusses the database vulnerabilities in Oracle's April 2006 CPU and offers some available workarounds.

Oracle DBMS - Critical Access Control Bypass in Login Bug

An illustration of the risk of depending on database vendor patches for database security.

Microsoft SQL Server Audit Bug

An illustration of the problems created when relying on a database server to audit itself.

Arbitrary File Access and Denial of Service Vulnerabilities in Business Objects’ Crystal Report Web Delivery Modules

Crystal Reports modules which deliver image files through the web are vulnerable in a way that can be exploited for arbitrary file access and denial of service.

Incorrect Handling of Cross Site Scripting Protection in ASP.Net

The ASP.Net request validation feature has an implementation flaw which allows an attacker to easily bypass the content restrictions, possibly exposing the application to cross site scripting and script injection attacks.

Back to Top

ADC Security Responses

If Imperva SecureSphere is listed on a vulnerability alert, such as from CERT, the ADC publishes Security Responses to those alerts. Check this page to locate newly published Responses.


Imperva Security Response for VU#739224

The U.S. Computer Emergency Response Team (US-CERT) has reported a Web attack evasion technique using full-width and half-width Unicode characters intended to evade inspection by IDS/IPS/WAF security products.

Back to Top

Upcoming Security Alerts

Report dateVendor codeVersions affectedSeverity
IBM
17/01/2007Informix IDS 10UC6 and earlierHigh
02/08/2007Informix IDS 10TC3High
25/02/2007Informix IDS 11 and earlierCritical
25/02/2007Informix IDS 10 TC5Low
Oracle
14/06/200710097059EBS 11.xLow
13/12/20056768557Oracle 10.2 and earlierMedium
20/12/20056808279Oracle 10.2 and earlierHigh
20/09/20068645119Oracle 10.2 and earlierMedium
31/07/200710404365Oracle EBS all versionsMedium
31/05/20079909517Oracle EBS all versionsMedium
31/05/20079909589Oracle EBS all versionsLow
DWR
07/11/2007DWR 2.0.1 and earlierHigh
Back to Top