RE: Would you recommend such an application for production use?
- From: "Aragon, Gabriel (GE, Corporate, consultant)" <gabriel.aragon@xxxxxx>
- To: "oracle list" <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 17 Feb 2010 20:25:43 -0500
You will be surprised to see how many app require dba privileges for their app
users, they just say "that's the way it works, no modifications will be done",
so as Martin said, cover you back raising your hand and letting decision makers
to approve/dissaprove it.
IMHO
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Mohammad Rafiq
Sent: Miércoles, 17 de Febrero de 2010 07:01 p.m.
To: Martin; oracle list
Subject: RE: Would you recommend such an application for production use?
Martin,
You just provide your professional view to decision makers. Most of vendor
products comes with such surprises and all type of security deviations.
Beautiful part is that vendor don't agree for making any changes to the
application.
It is possible that no one may be agree with you at this stage but at later
stage if any security violations are reported then you will be on safe side.
Regards
Rafiq
> Date: Wed, 17 Feb 2010 21:20:04 +0000
> From: development@xxxxxxxxxxxxxxxxx
> To: oracle-l@xxxxxxxxxxxxx
> Subject: Would you recommend such an application for production use?
>
> Dear listers,
>
> I tried to come up with a good name for this post but couldn't. So here
> goes the story:
>
> I have been asked to review a product that management is _very_ keen to
> deploy in production. Unfortunately before this can happen it has to go
> through a change management process which implies that "troublemakers"
> like me can raise their concerns that need addressing. For a change I
> have access to the source code of the application which makes it even
> more interesting.
>
> I discovered a number of things I don't like but was wondering what you
> thought about these-maybe I'm just pedantic? Among the most terrifying
> ones are:
>
> - The installation script creates a user (default username = password)
> and grants select privileges on the dictionary to the new application
> user with grant option.
>
> This is not too great but not too difficult to harden.
>
> - the installation script furthermore creates objects in the sys schema,
> namely create view foo as select * from someX$view
>
> This is disturbing for me
>
> - the owner of the application schema grants almost complete access on
> its schema to public. The rationale is that the application needs to
> allow a user logging into the database through the frontend access to
> its schema
>
> Now since the software is used for monitoring the health of a web
> application through the tiers-including Oracle-anyone with connect
> privileges could access these data...
>
> Did anyone made a similar experience? What did you do?
>
> Interested to hear comments!
>
> Martin
> --
> //www.freelists.org/webpage/oracle-l
>
>
________________________________
Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign up now.
<http://clk.atdmt.com/GBL/go/196390706/direct/01/>
Other related posts:
