Kommentare zu: Oracle Security Riddle http://blog.red-database-security.com/2007/05/28/oracle-security-riddle/ Sat, 22 Nov 2008 04:43:13 +0000 http://wordpress.org/?v=2.2.1 Von: Gary http://blog.red-database-security.com/2007/05/28/oracle-security-riddle/#comment-3 Gary Mon, 28 May 2007 23:56:47 +0000 http://blog.red-database-security.com/2007/05/28/oracle-security-riddle/#comment-3 Well it isn't invoker rights so the privileges it runs with might allow it to alter any user's password (and presumably do, otherwise why not have the routine just derive the current user). I would generally think that is enough, but a suitably crafted P_USER (including closing quotes and a -- comment) could allow it do other ALTER USER operations, such as Account unlock. Being pedantic, it would actually error as it's not returning a true/false as indicated, but the error wouldn't prevent the ALTER USER from happening. If this was really 'live', then it probably means either the errors are trapped and hidden or that it generates so many errors that they are never looked at. Either way any cracker's attempt to abuse the routine would never be noticed. AK> sorry I forgot to copy the error handling and return value. Well it isn’t invoker rights so the privileges it runs with might allow it to alter any user’s password (and presumably do, otherwise why not have the routine just derive the current user). I would generally think that is enough, but a suitably crafted P_USER (including closing quotes and a — comment) could allow it do other ALTER USER operations, such as Account unlock.
Being pedantic, it would actually error as it’s not returning a true/false as indicated, but the error wouldn’t prevent the ALTER USER from happening. If this was really ‘live’, then it probably means either the errors are trapped and hidden or that it generates so many errors that they are never looked at. Either way any cracker’s attempt to abuse the routine would never be noticed.

AK> sorry I forgot to copy the error handling and return value.

]]>