another security issue with Oracle 9.x

I hate to seem overly "alarmist", but in addition to the SNMP security issue mentioned already, I have read of this problem discovered by Next Generation Security Software Ltd. in Sutton, England:

http://www.nextgenss.com/advisories/oraplsextproc.txt

<<<A large part of Oracle database functionality is provided by PL/SQL packages. PL/SQL, or Procedural  Language/ Structured Query Language, extends SQL and allows an "executable" package be created that exports procedures and functions. PL/SQL packages can be extended to call functions exported by operating system libraries or Dynamic Link Libraries. It is possible to create a (PL/SQL) library and PL/SQL package that calls any function in any library on the file system. An attack would probably call system() and pass the name of a program to be executed. It is apparent that to do this a user must be able to connect to the Oracle database server and login with an account that has the CREATE LIBRARY permission before an attack becomes successful. However, NGSSoftware Insight Security Research has discovered a way to fool the Oracle database server into loading arbitrary libraries and executing arbitrary functions without ever having to authenticate.>>

(more details at the link) Received on Thu Feb 14 2002 - 18:41:42 CST