RE: Security - Read-only user can modify data via views

I'm a little confused as to the severity of this. Perhaps I've already modified my DBSNMP account, but I'm not able to create ANY view under 10.2. 9.2.0.5 worked but only because the dbsnmp account had stupidly been given the CONNECT role, and I had to re-enable the account and change the password to be able to login as dbsnmp.

I thought that Oracle had already recommended to:

• Disable the DBSNMP and other default accounts or at least change their passwords.
• Don't grant SELECT ANY DICTIONARY unless specifically needed.

So I guess I don't see this as really being a big deal. To me, it's just a combination of exploting the default lack of security set up by catalog.sql (and it's sub-cronies).

Thoughts?

Rich

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Andre van Winssen Sent: Wednesday, April 12, 2006 6:30 AM
To: oracle-l_at_freelists.org
Subject: Re: Security - Read-only user can modify data via views

yes, and I told the poster, Alexander Kornbrust, that his company is very
careless and irresponsible by revealing so much detail. It took little time before I was able to delete data that wasn't mine or change dba account passwords for which my oracle account had no priv. No patch available yet and it works in all latest and greatest database versions. Checked it myself
Are you ready for the next Cpu?

Regards,
Andre

-: An Oracle error is an index on the solutions table :- -: Andre

> Has anyone read this -
>
>

http://www.red-database-security.com/advisory/oracle_modify_data_via_vie ws.html
>
> The note mentioned seems to be have taken out from the metalink now.
>
> Thanks
> Manmohan

--
http://www.freelists.org/webpage/oracle-l