Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Security hole in Oracle?

Security hole in Oracle?

From: <dmitryn_at_genesyslab.com>
Date: 5 Feb 2006 22:45:47 -0800
Message-ID: <1139208347.339799.110000@g47g2000cwa.googlegroups.com>


We're observing a pretty weird behavior with Oracle 9.2.0.1 and 10g, though, maybe it is considered normal for these products, I don't know.

The synopsis is the following:

  1. Oracle (9.2 and 10g) is installed on Windows Server 2003 with all default settings and one database
  2. Two users are created with minimal permissions (they cannot view/change others' schemas)
  3. Schemas are initialized (using the logins of two users) with the same set of stored procedures and tables
  4. Two clients working on two Windows machines logged on under those two users simultaneously start to write to their tables using stored procedures and transactions. Client applications use binding mechanism.

Now is focus-pocus: one of them is almost always writing into wrong schema. When we analyzed audit log (SYS.AUD$), we discovered that there are, indeed, two right sessions under two right users, but the procedure that is called from one user really belongs to another one! (obj$creator field). Needless to say that when we tried to repeat this trick in Sqlplus (to call other user's procedure), we got 'insufficient priviliges' error. We tried to play around with users, deleted and created them anew and, at some moment, felt that users with similar names (starting with the same prefix) have better chance of messing up. But generally, it was just pretty much consistently wrong - so that we saw the same behavior with different users and on different Oracles. To make the matters worse, we ran into another problem while recreating users/schemas. Sometimes, after we recreated schemas, bindings could no longer be initiated at server while reporting all sort of nonsensical errors until we had to restart Oracle (after that, at least, binding was created successfully)

We haven't tried this on unix yet, but given all this, to put it mildly, unreliable behavior (it was confirmed on several sites by different teams), I wonder if anyone knows for sure if binding on Oracle on Windows has ever been working.(I have a feeling that all this mess is somehow connected to how Orcale caches binding calls)

Thanks! Received on Mon Feb 06 2006 - 00:45:47 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US