Would you recommend such an application for production use?
Date: Wed, 17 Feb 2010 21:20:04 +0000
I tried to come up with a good name for this post but couldn't. So here goes the story:
I have been asked to review a product that management is _very_ keen to deploy in production. Unfortunately before this can happen it has to go through a change management process which implies that "troublemakers" like me can raise their concerns that need addressing. For a change I have access to the source code of the application which makes it even more interesting.
I discovered a number of things I don't like but was wondering what you thought about these-maybe I'm just pedantic? Among the most terrifying ones are:
- The installation script creates a user (default username = password) and grants select privileges on the dictionary to the new application user with grant option.
This is not too great but not too difficult to harden.
- the installation script furthermore creates objects in the sys schema, namely create view foo as select * from someX$view
This is disturbing for me
- the owner of the application schema grants almost complete access on its schema to public. The rationale is that the application needs to allow a user logging into the database through the frontend access to its schema
Now since the software is used for monitoring the health of a web application through the tiers-including Oracle-anyone with connect privileges could access these data...
Did anyone made a similar experience? What did you do?
Interested to hear comments!
MartinReceived on Wed Feb 17 2010 - 15:20:04 CST