RE: Would you recommend such an application for production use?

From: Mohammad Rafiq <>
Date: Wed, 17 Feb 2010 20:01:29 -0500
Message-ID: <BAY107-W110F65EF9DD8694D09F7BBA1470_at_phx.gbl>


You just provide your professional view to decision makers. Most of vendor products comes with such surprises and all type of security deviations. Beautiful part is that vendor don't agree for making any changes to the application.  

It is possible that no one may be agree with you at this stage but at later stage if any security violations are reported then you will be on safe side.  



> Date: Wed, 17 Feb 2010 21:20:04 +0000
> From:
> To:
> Subject: Would you recommend such an application for production use?
> Dear listers,
> I tried to come up with a good name for this post but couldn't. So here
> goes the story:
> I have been asked to review a product that management is _very_ keen to
> deploy in production. Unfortunately before this can happen it has to go
> through a change management process which implies that "troublemakers"
> like me can raise their concerns that need addressing. For a change I
> have access to the source code of the application which makes it even
> more interesting.
> I discovered a number of things I don't like but was wondering what you
> thought about these-maybe I'm just pedantic? Among the most terrifying
> ones are:
> - The installation script creates a user (default username = password)
> and grants select privileges on the dictionary to the new application
> user with grant option.
> This is not too great but not too difficult to harden.
> - the installation script furthermore creates objects in the sys schema,
> namely create view foo as select * from someX$view
> This is disturbing for me
> - the owner of the application schema grants almost complete access on
> its schema to public. The rationale is that the application needs to
> allow a user logging into the database through the frontend access to
> its schema
> Now since the software is used for monitoring the health of a web
> application through the tiers-including Oracle-anyone with connect
> privileges could access these data...
> Did anyone made a similar experience? What did you do?
> Interested to hear comments!
> Martin
> --

Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
Received on Wed Feb 17 2010 - 19:01:29 CST

Original text of this message