In-Depth Research, Timely Responsible Notifications

The nature of the IT security business requires us to remain one step ahead of malicious users. Our continual vigilance and timely dissemination of security information mitigates the damage from database and application threats and vulnerabilities. We at the Imperva Application Defense Center are intent on building the most advanced application and database security knowledge base in the world by discovering database vulnerabilities before they're exploited.

In order to bring you these published Security Advisories, we conduct in-depth research in our labs, utilize real-world experience, and leverage publicly available information. Each day, we strive to uncover new security attack and defense techniques and application, platform, and database vulnerabilities. When we find a database or application security issue, we work within industry guidelines and responsible ethics to notify the vendor and publish the Advisory. Our ultimate goal is to provide you with accurate, timely information so that you know the steps you need to take to secure your applications, databases, and protect confidential data.

Benefit to SecureSphere Customers

Imperva customers benefit from our research with updates to SecureSphere through automated ADC Security Updates as well as ADC Insights. With Imperva, you are protected against the latest security threats, often well ahead of patches released from application and database security vendors.

DB2 UDB - FDOCA Manipulation DoS Attack

This security advisory discusses an FD:OCA data object structure vulnerability that allows an attacker to terminate the DB2 UDB's service, effectively denying service from all database users.

Oracle EBS - SQL Injection vulnerability

This security advisory discusses a SQL Injection vulnerability in an unauthenticated part of the application.

Oracle EBS - XSS and Unchecked Redirection vulnerabilities

This security advisory discusses vulnerabilities can be exploited for stealing sensitive data and executing Phishing attacks.

Oracle PeopleTools – Authentication Weakness

This security advisory discusses a vulnerability, affecting PeopleSoft applications, enabling unrestricted brute force login attacks that was discovered by Imperva.

Oracle DBMS – Proxy Authentication Vulnerability

This security advisory discusses a vulnerability, discovered by Imperva, that allows an attacker to establish a database session without supplying a password when connecting through Oracle's proxy authentication mode.

Oracle DBMS – Access Control Bypass with Direct Path Export

This security advisory discusses an access control bypass vulnerability that was discovered by Imperva.

Informix DBMS - SQ_ONASSIST Denial of Service Attack

This advisory describes a Denial of Service Attack to Informix Dynamic Server. This vulnerability was discovered by Imperva and fixed in the IBM IDS 11.10.*C2 release in October 2007.

Oracle EBS – XSS Vulnerability

This security advisory discusses a cross-site scripting vulnerability in Oracle E-Business Suite that was discovered by Imperva and is addressed in Oracle's July 2007 Critical Patch Update.

Web 2.0, AJAX and Client Security Logic

An illustration of the problems created by Web 2.0 development frameworks such as AJAX that place increasing emphasis on client-side browser code (JavaScript, etc.) as a mechanism for enforcing security logic.

DB2 RDBMS - Critical Denial of Service Vulnerability in Database Communication Protocol

Illustrates the need for the validation of database communication protocols in database security products.

DB2 DBMS - Critical Buffer Overrun Vulnerability

An illustration of the risk of depending on database vendor patches for database security.

Oracle DBMS - Critical Patch Update 04/18/06

This security advisory discusses the database vulnerabilities in Oracle's April 2006 CPU and offers some available workarounds.

Oracle DBMS - Critical Access Control Bypass in Login Bug

An illustration of the risk of depending on database vendor patches for database security.

Microsoft SQL Server Audit Bug

An illustration of the problems created when relying on a database server to audit itself.

Arbitrary File Access and Denial of Service Vulnerabilities in Business Objects' Crystal Report Web Delivery Modules

Crystal Reports modules which deliver image files through the web are vulnerable in a way that can be exploited for arbitrary file access and denial of service.

Incorrect Handling of Cross Site Scripting Protection in ASP.Net

The ASP.Net request validation feature has an implementation flaw which allows an attacker to easily bypass the content restrictions, possibly exposing the application to cross site scripting and script injection attacks.