| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.tools -> Re: Create a new user
Frank,
If someone wanted to do damage at a later date, then coming across a SQL*Plus session gives them that ability. They could code a stored procedure which would grant anyone DBA rights. Then they could sign on to an account (one that already exists or a new one) and execute this procedure. They now have access to anything and everything in the system. Unless the DBA constantly monitors for new users and/or stored procedures this would go unnoticed.
HTH
Brian
Frank wrote:
>
> Hi!
>
> The original question was that what could be done if a hacker came across a
> SQLPlus logged in as DBA, and what could be done "....such that [it] can be
> exploitet much later." The immediate risks are fairly obvious.
> Im interpreting the question as:How can someone create a security breach
> that can be misused later(months/years) for benefit?
> e.g someone can query sensitive data, "adjust" invoices or similar, in the
> application.
> I business hacker may not benefit much from drop'ping tables in a
> application, because it will soon be discovered,
> and the breach secured (as easy as you describe).
>
> Frank
-- ======================================== Brian Peasland Raytheons Systems at USGS EROS Data Center These opinions are my own and do not necessarily reflect the opinions of my company! ========================================Received on Mon Mar 19 2001 - 09:20:50 CST
 |
 |