Re: PUBLIC privileges on XDB$ACL

• From: Subodh Deshpande <deshpande.subodh@xxxxxxxxx>
• To: david@xxxxxxxxxxxxxxxxxxxx
• Date: Fri, 20 Jul 2012 10:29:10 +0530

ok..this is an index document.
xdb is used to store the xml data
can some tell me what exact privs xdb has got and which are been delegated
to public
then looking at the privs i can think of this is threat or not..
I am getting following results on my local db
SQL> select banner from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
PL/SQL Release 10.2.0.1.0 - Production
CORE    10.2.0.1.0      Production
TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production

SQL> show user
USER is "XDB"
SQL> SELECT grantor, grantee, table_name, owner
  2    FROM user_tab_privs
  3   WHERE grantee = 'XDB' and grantable = 'YES';

no rows selected

but xdb is schema owner who will be able to create and manage objects in it
and similarly others schema will be able to create and manage objects in
xdb..this is what I think..hence at this moment primafacie, I can say
instead of 'grant all to ....'  it should have grant privs1, privs2, privs3
etc..on object name to public..would have been a better code writing
practice...which exists in latter versions.

can some one put some more light on this..thanks..subodh

On 20 July 2012 08:22, <david@xxxxxxxxxxxxxxxxxxxx> wrote:

> becoming interesting..!
>> can someone provide a test case where by, it can be tested how attacker
>> can
>> attack any sql/plsqlcode..pl..!
>>
>
> The attack vector should become apparent once you read the documentation
> for CREATE INDEX... http://docs.oracle.com/cd/**
> B28359_01/server.111/b28286/**statements_5011.htm<http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_5011.htm>
> Cheers,
> David
>
>
>


-- 
=============================================
This Gmail Account will be deactivated  in One Months Time
=============================================


--
//www.freelists.org/webpage/oracle-l

• References:
  • RE: ASM on Linux 6
    • From: Gillfillan, Marianne J.
  • Re: ASM on Linux 6
    • From: Tim Hall
  • PUBLIC privileges on XDB$ACL
    • From: david
  • Re: PUBLIC privileges on XDB$ACL
    • From: Rich Jesse
  • Re: PUBLIC privileges on XDB$ACL
    • From: Niall Litchfield
  • Re: PUBLIC privileges on XDB$ACL
    • From: david
  • Re: PUBLIC privileges on XDB$ACL
    • From: Rich Jesse
  • Re: PUBLIC privileges on XDB$ACL
    • From: Subodh Deshpande
  • Re: PUBLIC privileges on XDB$ACL
    • From: david

Other related posts:

• » PUBLIC privileges on XDB$ACL- david
• » Re: PUBLIC privileges on XDB$ACL- Rich Jesse
• » Re: PUBLIC privileges on XDB$ACL- David Fitzjarrell
• » Re: PUBLIC privileges on XDB$ACL- Niall Litchfield
• » Re: PUBLIC privileges on XDB$ACL- David Fitzjarrell
• » Re: PUBLIC privileges on XDB$ACL- david
• » Re: PUBLIC privileges on XDB$ACL- Rich Jesse
• » Re: PUBLIC privileges on XDB$ACL- Subodh Deshpande
• » Re: PUBLIC privileges on XDB$ACL- david
• » Re: PUBLIC privileges on XDB$ACL - Subodh Deshpande

1. Home
2. oracle-l
3. Archive
4. 07-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---