Re: Why are people so afraid of underscore parameters ?

yong321_at_yahoo.com (Yong Huang) wrote in message news:<b3cb12d6.0208260630.9420a19_at_posting.google.com>...
> Thomas Kyte <tkyte_at_oracle.com> wrote in message news:<akc14j06hg_at_drn.newsguy.com>...
> > In article <b3cb12d6.0208251521.18cbe86a_at_posting.google.com>, yong321_at_yahoo.com
> > says...
> > >
> > >Thomas Kyte <tkyte_at_oracle.com> wrote in message
> > >news:<ak60ht02k5d_at_drn.newsguy.com>...
> > >>(in fact, I can show you a truly big problem with _trace_files_public, security
> > >> and another undocumented but seemingly innocent event that can be set at the
> > >>session level -- just need _trace_files_public to be set and ALTER SESSION privs
> > >> and I can get some pretty neat information)
> > >
> > >Hi, Tom,
> > >
> > >Out of curiosity, what event is that, suppose the user has alter
> > >session privilege?
> >
> > curiosity kills cats. I like cats.
>
> Killing a cat this way may not be that easy. I find that in Oracle 7
> but not beyond, you can use alter session to set blockdump event:
>
> alter session set events = 'immediate trace name blockdump level
> [level]'
>
> where [level] is the return value of the function
> dbms_utility.make_data_block_address ("documented" in Rama Velpuri's
> book). So people knowing how to interpret block dumps knows the values
> in the table even though he can't select on the table from inside the
> database.
>

Even worse: with alter session and readable trace files, in Oracle 7, 8i, and up, it's possible to find user's passwords in plain text. This clever trick can be found in the white paper "exploiting and protecting oracle" at www.pentest-limited.com

All the more reason to be cautious when using undocumented features. Received on Thu Aug 29 2002 - 12:58:34 CDT