Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: looking for upgrade time estimate

Re: looking for upgrade time estimate

From: Tanel Poder <tanel_at_@peldik.com>
Date: Thu, 6 Mar 2003 02:48:12 +0200
Message-ID: <3e669a1e$1_2@news.estpak.ee> 





Daniel,



It's kind of security hole like when opening a window in my home from inside
after walking in from open door...



This is not sql injection, it's just modifying some Oracle scripts.. which
shoudln't definitely have write access to every user. Sql injection is more
like when you play around with single quotes in parameters in poorly written
(web) application to run your malicious query inside an other query.



If you are in the operiting system with a privilege (oracle user or dba
group for example) to write to the ORACLE_HOME or datafiles, there are much
easier ways to get to the database anyway, as connect as sysdba or replacing
the passwordfile etc..



So, when you have control over OS - you have control over Oracle. When you
have control over hardware, you have control over OS.



Tanel.




"DA Morgan" <damorgan_at_exesolutions.com> wrote in message
news:3E669099.A031703D_at_exesolutions.com...


> Tanel Poder wrote:

>

> > Hi!

> >

> > > 9i disk requirements are not substantially higher than 8i if you go

> > through,

> > > after the installation, and prune out the gigabytes of help, doc,

sample,


> > demo,

> > > template, and other unnecessary files. Effectively everything with

.zip,


> > .mov,

> > > .avi, .gif, .html, .pdf can go. And if you look at the google.com

archives


> > a

> > > year or so back you will find some decent lists of other larger files

that


> > can

> > > go as well. Personally I see no reason to even keep mos of what is in

> > > \rdbms\admin on a server ... it is nothing but a security hole.

> >

> > Erm.. could you enlighten me, why keeping those files under rdbms/admin

is a


> > security hole?

> > They are the same in every copy of a specific release, so it doesn't

matter


> > where do I get them from, server's disk or OTN. Or is there some

threatening


> > information written by Oracle Installer?

> >

> > Thanks,

> > Tanel.

>

> Go into any one of those scripts that will be run routinely and create

your own


> procedure ... that when run does anything you wish from creating users, to

> roles, to procedures, to whatever. It is a technique known as SQL

Injection. And


> I can think of many of those scripts that get run routinely by DBAs that

never


> once look to see if they have been modified.

>

> A few lines of code in utlxplan.sql, for example, and you are SYS.

>

> Daniel Morgan

>

Received on Wed Mar 05 2003 - 18:48:12 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US