Re: PUBLIC privileges on XDB$ACL

From: Subodh Deshpande <>
Date: Fri, 20 Jul 2012 10:29:10 +0530
Message-ID: <>

ok..this is an index document.
xdb is used to store the xml data
can some tell me what exact privs xdb has got and which are been delegated to public
then looking at the privs i can think of this is threat or not.. I am getting following results on my local db SQL> select banner from v$version;


Oracle Database 10g Enterprise Edition Release - Prod PL/SQL Release - Production
CORE Production
TNS for 32-bit Windows: Version - Production NLSRTL Version - Production

SQL> show user
SQL> SELECT grantor, grantee, table_name, owner   2 FROM user_tab_privs
  3 WHERE grantee = 'XDB' and grantable = 'YES';

no rows selected

but xdb is schema owner who will be able to create and manage objects in it and similarly others schema will be able to create and manage objects in xdb..this is what I think..hence at this moment primafacie, I can say instead of 'grant all to ....' it should have grant privs1, privs2, privs3 etc..on object name to public..would have been a better code writing practice...which exists in latter versions.

can some one put some more light on this..thanks..subodh

On 20 July 2012 08:22, <> wrote:

> becoming interesting..!
>> can someone provide a test case where by, it can be tested how attacker
>> can
>> attack any sql/!
> The attack vector should become apparent once you read the documentation
> for CREATE INDEX...**
> B28359_01/server.111/b28286/**statements_5011.htm<>
> Cheers,
> David

This Gmail Account will be deactivated  in One Months Time

Received on Thu Jul 19 2012 - 23:59:10 CDT

Original text of this message