Iya nih, bahaya amat. Soalnya user yg cuma pumya privilege SELECT ke suatu tabel ternyata bisa melakukan DML ke tabel tsb melalui view.. Belum ada patchnya lagi.
Kalau bisa jgn grant role CONNECT ke suatu user krn didlmnya ada privilege CREATE VIEW dan CREATE DATABASE LINK yg bisa dipakai utk exploit bug ini.. oh...oracle...:( regards, tomi --- Muhammad Alif <[EMAIL PROTECTED]> wrote: > Oracle Exploit Code > > Systems Affected : Oracle Database 9.1.0.0 - > 10.2.0.3 (any platform) > Severity : High Risk (unpatched) > Category : Privilege Escalation > Vendor URL : http://www.oracle.com/ > Author : Alexander Kornbrust (ak at > red-database-security.com) > Date : 11 April 2006 (V 1.0.4) > Founder of this vulnerability : Dr. Christian > Kleinewächter and Swen Thümmler from infinity3 > GmbH > Oracle Bugno. : 7185031 > CVE : CVE-2006-1705 > > Preface > Last Thursday 6th April 2006, Oracle released a note > on the Oracle knowledgebase Metalink with details > about an unfixed security vulnerability (=0day) and > a working test case (=exploit code) which effects > all versions of Oracle from 9.1.0.0 to 10.2.0.3. > This note "363848.1 â A User with SELECT Object > Privilege on Base Tables Can Delete Rows from a > View" was available last week to Metalink customers. > The note was also displayed in the daily headlines > section of the Metalink and sent to subscribers of > the daily headline section. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- -----------I.N.D.O - O.R.A.C.L.E--------------- Keluar: [EMAIL PROTECTED] Website: http://indo-oracle.lizt.org (NEW) ----------------------------------------------- Bergabung dengan Indonesia Thin Client User Groups, Terminal Server, Citrix, New Moon Caneveral, di: http://indo-thin.vze.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/indo-oracle/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
