Kommentare zu: Oracle CPU April 2008 - Update http://blog.red-database-security.com/2008/04/16/oracle-critical-patch-update-cpu-april-2008/ Wed, 20 Aug 2008 16:38:35 +0000 http://wordpress.org/?v=2.2.1 Von: Alexander Kornbrust http://blog.red-database-security.com/2008/04/16/oracle-critical-patch-update-cpu-april-2008/#comment-6425 Alexander Kornbrust Mon, 16 Jun 2008 17:28:56 +0000 http://blog.red-database-security.com/2008/04/16/oracle-critical-patch-update-cpu-april-2008/#comment-6425 Hello zg, I guess you mean privilege escalation. SQL Injection is always a security problem even if privilege escalation is not possible. Even if AUTHID='CURRENT_USER' privilege escalation is sometimes possible, e.g. KUPW$WORKER, KUPM$MCP, ... have all AUTHID='CURRENT_USER' and are exploitable. Hope this helps. Regards Alexander Hello zg,

I guess you mean privilege escalation. SQL Injection is always a security problem even if privilege escalation is not possible.

Even if AUTHID=’CURRENT_USER’ privilege escalation is sometimes possible, e.g. KUPW$WORKER, KUPM$MCP, … have all AUTHID=’CURRENT_USER’ and are exploitable.

Hope this helps.

Regards

Alexander

]]> Von: >zg http://blog.red-database-security.com/2008/04/16/oracle-critical-patch-update-cpu-april-2008/#comment-6424 >zg Mon, 16 Jun 2008 16:52:13 +0000 http://blog.red-database-security.com/2008/04/16/oracle-critical-patch-update-cpu-april-2008/#comment-6424 I have a question, how can we exploit injections like SDO_UTIL [DB05], SDO_GEOM [DB06] and SDO_IDX [DB07] when they are defined with AUTHID CURRENT_USER ? I have a question, how can we exploit injections like SDO_UTIL [DB05], SDO_GEOM [DB06] and SDO_IDX [DB07] when they are defined with AUTHID CURRENT_USER ?

]]>