Re: Trojan Horses in ORACLE 6 SQL*net connections
Date: 15 Sep 1993 07:36:33 GMT
Message-ID: <276gm1INNeua_at_gap.caltech.edu>
"Andrew Jones (lrpr_at_unb.ca)" <LRPR_at_UNB.CA> writes:
> I am currently researching security measures for a client/server
>ORACLE 6 application. The server is running on an intel unix
>platform, while the clients are DOS-based.
> Some of our users will be dialling in using
>DCA's RLN (Remote Lan Node) product. For performance reasons, we
>must have the .FRM files resident on their PC's. It has occurred to
>me that a user could conceivably, if they were to have access to the
>ORACLE tools (certainly not unlikely, considering our user
>community), write their own form and replace our .FRM file with
>theirs; after our security checks have run at sign-on time, the
>application (in Menu/Forms) would call their form instead of our
>own, and then they could do various peeking and mischief in the ...
Andrew,
This reminds me of a problem with V5 rdbms and sqlnet. Anyone could hookup a V5 rdbms on the network and ior i any other V5 rdbms on the network.
I don't know much about forms so I'll leave those answers to the forms gurus.
I know a tad bit about Oracle7 though.
You could install Oracle7 and write procedures which manipulate the valuable data. Then when your users need to update a record they do it via a procedure rather than an update statement. If they try to update a record directly they will get ora-942.
Although, you have a sql*menu gatekeeper in front of your V6 data, somewhere under the covers you have granted update, or insert, or delete to Betty Sue down in accounting. You never know, she might be smarter and more devious then she looks.
-Dan
Daniel B. Bikle
Independent Oracle Consultant
dbikle_at_alumni.caltech.edu
415/854-9542
P.O. BOX 'D'
MENLO PARK CA 94026
Received on Wed Sep 15 1993 - 09:36:33 CEST