Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security hole in Oracle?

Re: Security hole in Oracle?

From: Michel Cadot <micadot{at}altern{dot}org>
Date: Mon, 6 Feb 2006 08:29:27 +0100
Message-ID: <43e6fad6$0$26031$636a15ce@news.free.fr> 






<dmitryn_at_genesyslab.com> a écrit dans le message de news: 1139208347.339799.110000_at_g47g2000cwa.googlegroups.com...


| We're observing a pretty weird behavior with Oracle 9.2.0.1 and 10g,

| though, maybe it is considered normal for these products, I don't know.

|

| The synopsis is the following:

|

| 1. Oracle (9.2 and 10g) is installed on Windows Server 2003 with all

| default settings and one database

| 2. Two users are created with minimal permissions (they cannot

| view/change others' schemas)

| 3. Schemas are initialized (using the logins of two users) with the

| same set of stored procedures and tables

| 4. Two clients working on two Windows machines logged on under those

| two users simultaneously start to write to their tables using stored

| procedures and transactions. Client applications use binding mechanism.

|

| Now is focus-pocus: one of them is almost always writing into wrong

| schema. When we analyzed audit log (SYS.AUD$), we discovered that there

| are, indeed, two right sessions under two right users, but the

| procedure that is called from one user really belongs to another one!

| (obj$creator field). Needless to say that when we tried to repeat this

| trick in Sqlplus (to call other user's procedure), we got 'insufficient

| priviliges' error. We tried to play around with users, deleted and

| created them anew and, at some moment, felt that users with similar

| names (starting with the same prefix) have better chance of messing up.

| But generally, it was just pretty much consistently wrong - so that we

| saw the same behavior with different users and on different Oracles.

| To make the matters worse, we ran into another problem while recreating

| users/schemas. Sometimes, after we recreated schemas,  bindings could

| no longer be initiated at server while reporting all sort of

| nonsensical errors until we had to restart Oracle (after that, at

| least, binding was created successfully)

|

| We haven't tried this on unix yet, but given all this, to put it

| mildly, unreliable behavior (it was confirmed on several sites by

| different teams), I wonder if anyone knows for sure if binding on

| Oracle on Windows has ever been working.(I have a feeling that all this

| mess is somehow connected to how Orcale caches binding calls)

|

| Thanks!

|




Unless you post a real and full test case this is only blahblah.



Regards


Michel Cadot
Received on Mon Feb 06 2006 - 01:29:27 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US