| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Supplied Packages, Database Links, and SQL Injection
Certain supplied packages such as dbms_export_extension are flawed, you can inject SQL such as "grant dba to me;" into them and the code will be executed. Now suppose you are pulling data from a database which includes sensitive information to one that does not via a database link. No sensitive data is accessible, the account on the sensitive database to which the database link connects has no privilege to access the sensitive objects. However there is a package, I'll call it dbms_flawed which is exploitable via SQL injection. A user runs dbms_flawed.exeute_this_at_remote_db('grant dba to me') thereby gaining that privilege or execute dbms_flawed.execute_at_remote_db('grant all on trusted_user.cofidential_info_table to me'); The controls setup to prevent improper access are bypassed.
The answer is to to not allow "me" to execute dbms_flawed. However, there are other packages which might now or someday be exploitable. How are folks handling this. Have you revoked execute privileges from public from all packages, a certain set of packages (if so which ones)? Is there a list of packages which have the potential to be exploited. Revoking privileges can be tricky. Dba_dependencies will find calls from stored procedures, but not anonymous blocks.
Ian MacGregor
Stanford Linear Accelerator Center
ian_at_slac.stanford.edu
-- http://www.freelists.org/webpage/oracle-lReceived on Tue May 09 2006 - 13:17:33 CDT
 |
 |