Re: Oracle stored procedures vs Running from a flat .sql file

Alex Filonov wrote:

> Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs2vhyc3.fsf_at_tiger.rapttech.com.au>...
> > "Computer Person" <xx_at_xx.com> writes:
> >
> > > I am finding that the UTL_FILE security is flawed in major ways which is
> > > contributing to the problems.
> >
> > We have a number of apps which make use of utl_file - I would really
> > like to know what the security flaws are with it - my experience has
> > been that utl_file can be a pain, but this is primarily because of its
> > security restrictions. It would be most useful to know about the
> > security flaws so that I can determine if our system has security
> > holes I'm not aware of.
> >
>
> UTL_FILE writes all files as Oracle Database owner. If you want to load
> files using UTL_FILE, you need to create them first as some other user.
> That user has to have write access to this directory. Now, simple
> trick. Make that user to create a soft link to some important file
> owner by Oracle owner, some executable for example. And make a simple
> PL/SQL program which will remove this file using UTL_FILE. Sounds
> impressive enough? This is the very first thing coming to mind, but
> I'm sure inventive person can produce lots of problems. Not to mention
> not very smart persons, which can do much more damage...
>
> > Tim

Provided the inventive person works on a server managed by a SA who is clueless about security.

But then on that subject I can point you to government databases in the US where the passwords for SYS and SYSTEM are unchanged from the default.

Daniel Morgan Received on Mon Jan 06 2003 - 19:00:36 CST