Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Modify Data via Inline Views

From: "Alexander Kornbrust" <ak () red-database-security com>
Date: Mon, 23 Oct 2006 18:51:42 +0200
Name    Modify Data via Inline Views (8107967) [DB09]
Systems Affected        Oracle 9i - 10g Rel. 2
Severity        High Risk
Category        Unauthorized Access
Vendor URL      http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory        18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_modify_data_via_inline_
views.html

Details
#######
Updates, deletes and inserts are possible with least-privilege via inline
views. A user with create session only can insert/update/delete data (e.g.
the dual table). This bug is similar but not identical to the bug which was
fixed in the July 2006 CPU (Modify Data via views). No workarounds
available.


Samples
#######
delete from (specially crafted inline view)
insert into (specially crafted inline view)
update (specially crafted inline view)


Patch Information
#################
Apply the patches for Oracle CPU October 2006.


History
#######
24-jul-2006 Oracle secalert was informed about a variant of the create view
bug.
18-oct-2006 Oracle published CPU October 2006 [DB09]
18-oct-2006 Advisory published


Additional Information
######################
An analysis of the Oracle CPU Oct 2006 is available here
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: