RE: Security - Read-only user can modify data via views
- From: "Jesse, Rich" <Rich.Jesse@xxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 12 Apr 2006 09:26:49 -0500
I'm a little confused as to the severity of this. Perhaps I've already
modified my DBSNMP account, but I'm not able to create ANY view under
10.2. 9.2.0.5 worked but only because the dbsnmp account had stupidly
been given the CONNECT role, and I had to re-enable the account and
change the password to be able to login as dbsnmp.
I thought that Oracle had already recommended to:
-- Disable the DBSNMP and other default accounts or at least change
their passwords.
-- Don't grant SELECT ANY DICTIONARY unless specifically needed.
So I guess I don't see this as really being a big deal. To me, it's
just a combination of exploting the default lack of security set up by
catalog.sql (and it's sub-cronies).
Thoughts?
Rich
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Andre van Winssen
Sent: Wednesday, April 12, 2006 6:30 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Security - Read-only user can modify data via views
yes, and I told the poster, Alexander Kornbrust, that his company is
very
careless and irresponsible by revealing so much detail. It took little
time before I was able to delete data that wasn't mine or change dba
account passwords for which my oracle account had no priv. No patch
available yet and it works in all latest and greatest database versions.
Checked it myself
Are you ready for the next Cpu?
Regards,
Andre
-: An Oracle error is an index on the solutions table :-
-: Andre
> Has anyone read this -
>
>
http://www.red-database-security.com/advisory/oracle_modify_data_via_vie
ws.html
>
> The note mentioned seems to be have taken out from the metalink now.
>
> Thanks
> Manmohan
--
//www.freelists.org/webpage/oracle-l
Other related posts:
