Re: PUBLIC privileges on XDB$ACL

From: Subodh Deshpande <deshpande.subodh_at_gmail.com>
Date: Fri, 20 Jul 2012 06:38:01 +0530
Message-ID: <CAJsOtB4znj1XDmOGsxuFivDX70HpBu_opVY0ifhpvhP=LU2irg_at_mail.gmail.com>



becoming interesting..!
can someone provide a test case where by, it can be tested how attacker can attack any sql/plsqlcode..pl..!
On 20 July 2012 01:06, Rich Jesse <rjoralist2_at_society.servebeer.com> wrote:

> David writes:
>
> >>From what I can gather from everyone's responses 10gR1 (and 9x etc)
> grants
> > *all* whereas 10gR2 grants only select, insert, update and delete. The
> > difference is small but important. As an advisory to anyone with the
> INDEX
> > privilege still in place on this table for PUBLIC I'd recommend revoking
> > it - this opens a hole that allows people to run PL/SQL code with XDB
> > privileges. This could pose a problem to some installations as XDB can
> > execute DBMS_RLS and therefore an attacker could effectively disable any
> > virtual private databases on the server.
>
> Interesting! This is one reason why I'm adamant about "deinstalling" all
> unnecessary modules prior to my upgrade to 11.2. Some necessary ones, too,
> which I will install manually after the upgrade is complete, even though it
> looks like this particular issue is accounted for in the upgrade script (if
> it's "xdbpatch.sql" in 11.2.0.3).
>
> Thanks David!
>
> Rich
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
=============================================
This Gmail Account will be deactivated  in One Months Time
=============================================


--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jul 19 2012 - 20:08:01 CDT

Original text of this message