Doh! Busted right back! Now I get the same results (assuming I grant the user alter session of course - if the user doesn't have alter session I get the privilege error).
Thanks Raj! --- rjamya <[EMAIL PROTECTED]> wrote: > Russell, > > you have a syntax error, you need a comma before > LEVEL. > > Raj > > On 7/28/06, Russell Lowenthal <[EMAIL PROTECTED]> > wrote: > > Interesting comment. So if I understand what you > are > > saying I should be able to create a user: > > > > SQL> create user nottoosmart identified by > > d0ntkn0wmuch; > > > > User created. > > > > SQL> grant create session to nottoosmart; > > > > Grant succeeded. > > > > SQL> connect nottoosmart/d0ntkn0wmuch > > Connected. > > SQL> alter session set events '10046 trace name > > context forever level 16'; > > ERROR: > > ORA-01031: insufficient privileges > > > > Hmm - would you mind posting your EXACT test case? > I > > ran this against a 9.2.0.7, 10.2.0.1 and 10.2.0.2 > > database and seem to get different results then > you > > are seeing. Just for the heck of it I went ahead > and > > granted the user alter session privileges: > > > > SQL> conn / as sysdba > > Connected. > > SQL> grant alter session to nottoosmart; > > > > Grant succeeded. > > > > SQL> connect nottoosmart/d0ntkn0wmuch > > Connected. > > SQL> alter session set events '10046 trace name > > context forever level 16'; > > ERROR: > > ORA-02194: event specification syntax error 230 > (minor > > error 215) near 'LEVEL' > > > > so even a user that I've purposely given > privileges to > > alter their own session doesn't seem to be able to > do > > anything with this command. > > > > So far I have to call this myth: Busted > > > > ---Original message---- > > I can't believe it. Oracle releases new patches > and > > they have not been solved one of the main > problems: A > > user with only the SELECT privilege can do > WHATEVER > > (S)HE WANTS WITH THE ENTIRE DATABASE!!!! > > > > I'm not sure if is time to full disclosure it but, > > anyway, I will "full disclosure" one inocent > issue, an > > integer overflow: > > > > Example: > > --Connect with any user with only CREATE SESSION > > SQL> alter session set events '10046 trace name > > context forever, level > > SQL> 16'; > > > > Session altered. > > > > SQL> alter session set events > > > '10046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004 > > > 61004610046100461004610046100461004610046100461004610046100461004610046100461004610046trace > > name context forever, level 16'; > > ERROR: > > ORA-00600: internal error code, arguments: [300], > > [985], [], [], [], [], [], [] > > > > > > It's not even a crash but (be sure) that there are > > other "combinations" that makes it vulnerable to > > integer overflows allowing the execution of > arbritrary > > code. > > > > PD: Hello Mary Ann! Are you on holidays? > > > > > _________________________________________________________________ > > Grandes éxitos, superhéroes, imitaciones, cine y > TV... > > > > http://es.msn.kiwee.com/ Lo mejor para tu móvil. > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - > http://secunia.com/ > > > > > -- > ---------------------------------------------- > Got RAC? > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
