I've just uploaded another database security brief - this one explores extproc and risks posed by UTL_TCP Cheers, David > -----Original Message----- > From: dbsec-bounce@xxxxxxxxxxxxx > [mailto:dbsec-bounce@xxxxxxxxxxxxx] On Behalf Of David Litchfield > Sent: 18 November 2005 14:26 > To: dbsec@xxxxxxxxxxxxx > Subject: [dbsec] New Database Security Brief > > I've just put up a Database Security Brief; the first of many to come. > > http://www.databasesecurity.com/dbsec-briefs.htm > > It's called a brief because there's enough meat to make it > interesting but not enough to make it a paper ;) > > This brief, Snagging Security Tokens to Elevate Privileges, > details how a database server running as a low privileged > user on Windows can still provide an attacker with the > ability to gain elevated privileges on the network and > suggests a change it security policy to mitigate the risk. As > a side note, this affects all network servers that offer OS > based authentication - not just database servers. > > Cheers, > David > > > >