Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security hole in Oracle?

Re: Security hole in Oracle?

From: hpuxrac <johnbhurley_at_sbcglobal.net>
Date: 6 Feb 2006 05:21:42 -0800
Message-ID: <1139232102.718576.95460@f14g2000cwb.googlegroups.com>

dmitryn_at_genesyslab.com wrote:
> We're observing a pretty weird behavior with Oracle 9.2.0.1 and 10g,
> though, maybe it is considered normal for these products, I don't know.
>
> The synopsis is the following:
>
> 1. Oracle (9.2 and 10g) is installed on Windows Server 2003 with all
> default settings and one database
> 2. Two users are created with minimal permissions (they cannot
> view/change others' schemas)
> 3. Schemas are initialized (using the logins of two users) with the
> same set of stored procedures and tables
> 4. Two clients working on two Windows machines logged on under those
> two users simultaneously start to write to their tables using stored
> procedures and transactions. Client applications use binding mechanism.
>
> Now is focus-pocus: one of them is almost always writing into wrong
> schema. When we analyzed audit log (SYS.AUD$), we discovered that there
> are, indeed, two right sessions under two right users, but the
> procedure that is called from one user really belongs to another one!
> (obj$creator field). Needless to say that when we tried to repeat this
> trick in Sqlplus (to call other user's procedure), we got 'insufficient
> priviliges' error. We tried to play around with users, deleted and
> created them anew and, at some moment, felt that users with similar
> names (starting with the same prefix) have better chance of messing up.
> But generally, it was just pretty much consistently wrong - so that we
> saw the same behavior with different users and on different Oracles.
> To make the matters worse, we ran into another problem while recreating
> users/schemas. Sometimes, after we recreated schemas, bindings could
> no longer be initiated at server while reporting all sort of
> nonsensical errors until we had to restart Oracle (after that, at
> least, binding was created successfully)
>
> We haven't tried this on unix yet, but given all this, to put it
> mildly, unreliable behavior (it was confirmed on several sites by
> different teams), I wonder if anyone knows for sure if binding on
> Oracle on Windows has ever been working.(I have a feeling that all this
> mess is somehow connected to how Orcale caches binding calls)

Well if you can re-create it then by all means send it in to oracle support to get analyzed.

You could also post a re-creatable test case here if you want someone else to submit it for you. Received on Mon Feb 06 2006 - 07:21:42 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US