Re: Oracle stored procedures vs Running from a flat .sql file

Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs2vhyc3.fsf_at_tiger.rapttech.com.au>...
> "Computer Person" <xx_at_xx.com> writes:
>
> > I am finding that the UTL_FILE security is flawed in major ways which is
> > contributing to the problems.
>
> We have a number of apps which make use of utl_file - I would really
> like to know what the security flaws are with it - my experience has
> been that utl_file can be a pain, but this is primarily because of its
> security restrictions. It would be most useful to know about the
> security flaws so that I can determine if our system has security
> holes I'm not aware of.
>

UTL_FILE writes all files as Oracle Database owner. If you want to load files using UTL_FILE, you need to create them first as some other user. That user has to have write access to this directory. Now, simple trick. Make that user to create a soft link to some important file owner by Oracle owner, some executable for example. And make a simple PL/SQL program which will remove this file using UTL_FILE. Sounds impressive enough? This is the very first thing coming to mind, but I'm sure inventive person can produce lots of problems. Not to mention not very smart persons, which can do much more damage...

> Tim
Received on Mon Jan 06 2003 - 13:33:07 CST