That's why I said it depends on how sys_context determines the user's environment module name. If it's simply by program name then it is obviously very easy as I demonstrated. If it is by the application module name then it may be more difficult but probably not impossible. Whatever the application is doing to establish its sys_context one can likely fake. The biggest hurdle (for a would-by hacker) is probably to find out what it is that needs to be faked.
At 05:19 AM 4/13/2007, rjamya wrote:
Wolfgang,true, but remember, the logon trigger will fire after you login and before you get your prompt back to issue the exec dbms_application_info command.Laura,if you are that worried, revoke dbms_application_info from public and grant it at the end of the trigger. Spoofing will require user to execute some code, which obviously cannot be done until login process is complete.Am I missing anything? rjamyaOn 4/12/07, Wolfgang Breitling <<mailto:breitliw@xxxxxxxxxxxxx>breitliw@xxxxxxxxxxxxx> wrote:I am getting out on a limb here to say "most likely yes". How difficult it is depends to some degree on how your sys_context determines "the users environment module name".
Regards Wolfgang Breitling Centrex Consulting Corporationwww.centrexcc.com
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
