Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle stored procedures vs Running from a flat .sql file

Re: Oracle stored procedures vs Running from a flat .sql file

From: Karsten Farrell <kfarrell_at_belgariad.com>
Date: Mon, 06 Jan 2003 23:30:53 GMT
Message-ID: <NkoS9.651$ru2.40404138@newssvr21.news.prodigy.com> 





Tim X wrote:


> "Computer Person" <xx_at_xx.com> writes:

>  

> 


>>I am finding that the UTL_FILE security is flawed in major ways which is
>>contributing to the problems.




> 

> 

> We have a number of apps which make use of utl_file - I would really

> like to know what the security flaws are with it - my experience has

> been that utl_file can be a pain, but this is primarily because of its

> security restrictions. It would be most useful to know about the

> security flaws so that I can determine if our system has security

> holes I'm not aware of.

> 

> Tim



Well, most of us can rest easy because we don't do foolish things with 
setting the utl_file directories (like setting them to '*' or '.' 
(dot)). But if you want to see some of the efforts hackers are proposing 
to use against an Oracle database, you can find lots of stuff on the 
Web. For example (will probably wrap):



http://www.blacksheepnetworks.com/security/resources/security/oracle-security/oracle-security.htm



shows some attempts to inform hackers of 'holes' in an Oracle db (though 
most of these holes are only available when a DBA is lazy or doesn't 
care about security or has never looked into it or...). No conscientious 
DBA will ever leave these 'holes'. Scan down to the bottom of the web 
page for hints on hacking utl_file ... but a DBA will have to open this 
hole on purpose.
Received on Mon Jan 06 2003 - 17:30:53 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US