Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle stored procedures vs Running from a flat .sql file
afilonov_at_yahoo.com (Alex Filonov) writes:
> > We have a number of apps which make use of utl_file - I would really
> > like to know what the security flaws are with it - my experience has
> > been that utl_file can be a pain, but this is primarily because of its
> > security restrictions. It would be most useful to know about the
> > security flaws so that I can determine if our system has security
> > holes I'm not aware of.
> >
>
> UTL_FILE writes all files as Oracle Database owner. If you want to load
> files using UTL_FILE, you need to create them first as some other user.
> That user has to have write access to this directory. Now, simple
> trick. Make that user to create a soft link to some important file
> owner by Oracle owner, some executable for example. And make a simple
> PL/SQL program which will remove this file using UTL_FILE. Sounds
> impressive enough? This is the very first thing coming to mind, but
> I'm sure inventive person can produce lots of problems. Not to mention
> not very smart persons, which can do much more damage...
>
Have you tried accessing a file via a sym link with utl_file? I thought it wouldn't follow sym links - I'll have to test this when I get back to work. If it does, then I would agree this is a security problem, but I think I read somewhere that utl_file would not follow a sym link.
Tim
-- Tim Cross The e-mail address on this message is FALSE (obviously!). My real e-mail is to a company in Australia called rapttech and my login is tcross - if you really need to send mail, you should be able to work it out!Received on Mon Jan 06 2003 - 18:58:02 CST