Re: Security - Read-only user can modify data via views
- From: "Niall Litchfield" <niall.litchfield@xxxxxxxxx>
- To: awinssen@xxxxxxxxx
- Date: Wed, 12 Apr 2006 13:48:00 +0100
Had Oracle themselves not emailed working exploit code around the world then
I would probably agree, as it stands I think that it is a helpful warning.
Niall
On 4/12/06, Andre van Winssen <awinssen@xxxxxxxxx> wrote:
>
> yes, and I told the poster, Alexander Kornbrust, that his company is very
> careless and irresponsible by revealing so much detail. It took little
> time before I was able to delete data that wasn't mine or change dba
> account passwords for which my oracle account had no priv. No patch
> available yet and it works in all latest and greatest database versions.
> Checked it myself
> Are you ready for the next Cpu?
>
> Regards,
> Andre
>
> -: An Oracle error is an index on the solutions table :-
> -: Andre
>
>
> > Has anyone read this -
> >
> >
> http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html
> >
> > The note mentioned seems to be have taken out from the metalink now.
> >
> > Thanks
> > Manmohan
> >
> > --
> > _______________________________________________
> >
> > Search for businesses by name, location, or phone number. -Lycos Yellow
> > Pages
> >
> >
> http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
> >
> > --
> > //www.freelists.org/webpage/oracle-l
> >
> >
> >
>
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
Other related posts:
