Re: PUBLIC privileges on XDB$ACL
Date: Fri, 20 Jul 2012 10:29:10 +0530
Message-ID: <CAJsOtB7p=NN7Dyir8TtqRVh6kf5Mm2N0St5CS4FubxfQeCnGhQ_at_mail.gmail.com>
ok..this is an index document.
xdb is used to store the xml data
can some tell me what exact privs xdb has got and which are been delegated to public
then looking at the privs i can think of this is threat or not.. I am getting following results on my local db SQL> select banner from v$version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for 32-bit Windows: Version 10.2.0.1.0 - Production NLSRTL Version 10.2.0.1.0 - Production
SQL> show user
USER is "XDB"
SQL> SELECT grantor, grantee, table_name, owner
2 FROM user_tab_privs
3 WHERE grantee = 'XDB' and grantable = 'YES';
no rows selected
but xdb is schema owner who will be able to create and manage objects in it and similarly others schema will be able to create and manage objects in xdb..this is what I think..hence at this moment primafacie, I can say instead of 'grant all to ....' it should have grant privs1, privs2, privs3 etc..on object name to public..would have been a better code writing practice...which exists in latter versions.
can some one put some more light on this..thanks..subodh
On 20 July 2012 08:22, <david_at_databasesecurity.com> wrote:
> becoming interesting..!
>> can someone provide a test case where by, it can be tested how attacker
>> can
>> attack any sql/plsqlcode..pl..!
>>
>
> The attack vector should become apparent once you read the documentation
> for CREATE INDEX... http://docs.oracle.com/cd/**
> B28359_01/server.111/b28286/**statements_5011.htm<http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_5011.htm>
> Cheers,
> David
>
>
>
-- ============================================= This Gmail Account will be deactivated in One Months Time ============================================= -- http://www.freelists.org/webpage/oracle-lReceived on Thu Jul 19 2012 - 23:59:10 CDT