Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole
The dialogue on this Usenet group is pathetic, to put it mildly - I
quit reading the Oracle Usenet groups years ago but was directed back
by the article on theinquirer.net( other than there and in a few
discussion groups there has been not a peep about all this ). Anyone
with half a brain, upon reading the original post on Mon., and with a
few minutes of testing would have grasped the awful and awesome truth
- and at that point would have shut down their 9.0.1 db. Oracle has
released a patch using the same bug # that was logged back in Dec. (
thus announcing the problem to the world ).
You may know( on second thought you probably don't ) that 9.0.1 installs with username: dbsnmp / password: dbsnmp - account unlocked - this un has connect role by def., which includes create view - thus the global R/W access.
I'm rather sorry to see what happened here - I've suffered for
years with Oracle, turning me into one of their many critics but also
one of their biggest fans( especially considering the competition ).
I perceive that there are many competing camps within any large corp.
- they don't speak as one monolithic entity and what they do say is
skewed from the top and amongst their willing water-boys, the media.
So there needs to be an institutional discipline that makes it
possible to deal with problems like this in a timely, straightforward
and plain-spoken manner. Was that the case here - you be the judge.
Received on Thu Apr 18 2002 - 11:01:17 CDT