Re: PUBLIC privileges on XDB$ACL

  • From: Subodh Deshpande <deshpande.subodh@xxxxxxxxx>
  • To: david@xxxxxxxxxxxxxxxxxxxx
  • Date: Fri, 20 Jul 2012 10:29:10 +0530

ok..this is an index document.
xdb is used to store the xml data
can some tell me what exact privs xdb has got and which are been delegated
to public
then looking at the privs i can think of this is threat or not..
I am getting following results on my local db
SQL> select banner from v$version;

Oracle Database 10g Enterprise Edition Release - Prod
PL/SQL Release - Production
CORE      Production
TNS for 32-bit Windows: Version - Production
NLSRTL Version - Production

SQL> show user
SQL> SELECT grantor, grantee, table_name, owner
  2    FROM user_tab_privs
  3   WHERE grantee = 'XDB' and grantable = 'YES';

no rows selected

but xdb is schema owner who will be able to create and manage objects in it
and similarly others schema will be able to create and manage objects in
xdb..this is what I think..hence at this moment primafacie, I can say
instead of 'grant all to ....'  it should have grant privs1, privs2, privs3
etc..on object name to public..would have been a better code writing
practice...which exists in latter versions.

can some one put some more light on this..thanks..subodh

On 20 July 2012 08:22, <david@xxxxxxxxxxxxxxxxxxxx> wrote:

> becoming interesting..!
>> can someone provide a test case where by, it can be tested how attacker
>> can
>> attack any sql/!
> The attack vector should become apparent once you read the documentation
> for CREATE INDEX...**
> B28359_01/server.111/b28286/**statements_5011.htm<>
> Cheers,
> David

This Gmail Account will be deactivated  in One Months Time


Other related posts: