msgbartop
News, views, tips and tricks on Oracle and other fun stuff
msgbarbottom

5 Links from Around the Web (2007-05-25)

More from my bookmarks on del.icio.us

4 Comments | Filed in Links | Tags: ,


Indirect Privilege Escalation And Defeating Virtual Private Databases

David Litchfield has just published two chapters from his book The Oracle Hacker’s Handbook: Hacking and Defending Oracle.

Indirect Privilege Escalation (PDF)

In this chapter, David gives two examples, one with CREATE ANY TRIGGER and another with CREATE ANY VIEW to demonstrate how these privileges can be abused to gain DBA privileges. In fact, a user who has the CREATE ANY x privilege can trivially gain DBA privileges, and SQL injection has a lot to do with it.

Defeating Virtual Private Databases (PDF)

Virtual Private Databases (VPDs) allow a user to access only the data that the policy specifies they can access, and no more. In this chapter, David demonstrates how to trick Oracle into dropping a policy and how to defeat VPDs with raw file access. Again, SQL injection is the main culprit.

Comments Off | Filed in Oracle, Tips | Tags: , ,


links for 2006-10-06

4 Comments | Filed in Links | Tags: ,