Re: PUBLIC privileges on XDB$ACL
Date: Fri, 20 Jul 2012 06:38:01 +0530
can someone provide a test case where by, it can be tested how attacker can attack any sql/plsqlcode..pl..!
On 20 July 2012 01:06, Rich Jesse <rjoralist2_at_society.servebeer.com> wrote:
> David writes:
> >>From what I can gather from everyone's responses 10gR1 (and 9x etc)
> > *all* whereas 10gR2 grants only select, insert, update and delete. The
> > difference is small but important. As an advisory to anyone with the
> > privilege still in place on this table for PUBLIC I'd recommend revoking
> > it - this opens a hole that allows people to run PL/SQL code with XDB
> > privileges. This could pose a problem to some installations as XDB can
> > execute DBMS_RLS and therefore an attacker could effectively disable any
> > virtual private databases on the server.
> Interesting! This is one reason why I'm adamant about "deinstalling" all
> unnecessary modules prior to my upgrade to 11.2. Some necessary ones, too,
> which I will install manually after the upgrade is complete, even though it
> looks like this particular issue is accounted for in the upgrade script (if
> it's "xdbpatch.sql" in 18.104.22.168).
> Thanks David!
-- ============================================= This Gmail Account will be deactivated in One Months Time ============================================= -- http://www.freelists.org/webpage/oracle-lReceived on Thu Jul 19 2012 - 20:08:01 CDT