Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: PL/SQL Package Execution Privileges
In article <ch754vkiah45q4r9765ofbft19rcd9hcgd_at_4ax.com>,
gooiditweg_at_nospam.demon.nl says...
> On Thu, 6 Feb 2003 16:28:27 -0000, Jeremy Ovenden
> <newspostings_at_hazelweb.co.uk> wrote:
>
> >Question: if there is enough info here, how should I set this up? There
> >are some users in the system that need to be able to change the
> >passwords of other users (i.e. to reset them in the event of the user
> >forgetting them). This is a web-based application using pl/sql toolkit.
>
>
> You should NOT set this up, unless you want to build applications
> which are vulnerable for attacks.
>
This is the sort of response I anticipated. I feel that it is a potentially serious hole that is opened up. If there was a safe way to do it (for example a given class of users identified by Role R1 being able to alter the passwords of any users with Role R2 or somesuch....)
It is not essential and if it is risky then will be shelved!
Thanks for your input.
cheers
-- jeremyReceived on Thu Feb 06 2003 - 12:15:59 CST