Re: [Q] security risk on "execute any procedure"???

"Sybrand Bakker" <postbus_at_sybrandb.demon.nl> a écrit dans le message de news:mmec21hgcb2eaa265cm9dc4k2p9kvq37so_at_4ax.com...
| On 2 Mar 2005 12:38:31 -0800, aaa <mccdba_at_yahoo.com> wrote:
|
| >I checked ORACLE database we have on 9ir2. I found several users have "execute
| >any procedure" right. Can anyone tell me what kind of security risk for
| >"execute any procedure"?
|
|
| Consider the following (courtesy of Thomas Kyte)
|
| The user with create any procedure privilege issues the following
|
| create or replace procedure <any owner>.do_sql(sqlstr in varchar2) is
| begin
| execute immediate sqlstr;
| end;
|
| and
| begin <any user>.do_sql('drop table emp cascade constraints'); end;
|
|
| Now your user can issue whatever DDL command on <any user>'s schema,
| and take over control. Your user is also not going to leave any
| traces, as <any user> executes the procedures.
|

I don't think publishing how to exploit a security hole is a good thing even if this was already many times published. Many softwares grant "execute any procedure" to users (and even to public). This is a very bad thing but they can't work without that. We are sometimes stick with these ones and it's a nightmare to live with it and try to keep a show of security.
Please avoid to worsen our situation publishing these "solutions". More they are published, more they are people knowing that and more i tear my hair out.

Regards
Michel Cadot Received on Thu Mar 03 2005 - 00:39:13 CST