[VIM] Interesting Oracle FUBAR..
jericho at attrition.org
Tue Apr 11 18:30:57 EDT 2006
---------- Forwarded message ----------
From: "Kornbrust, Alexander" <ak at red-database-security.com>
To: full-disclosure at lists.grok.org.uk
Date: Mon, 10 Apr 2006 14:11:38 +0200
Subject: [Full-disclosure] Oracle read-only user can insert/update/delete data
via specially crafted views
Hello Full Disclosure
Last Thursday 6th April 2006, Oracle released a note on the Oracle
knowledgebase Metalink with details about an unfixed security
vulnerability (=0day) and a working test case (=exploit code) which
effects all versions of Oracle from 220.127.116.11 to 10.2.0.3. This note
"363848.1 - A User with SELECT Object Privilege on Base Tables Can Delete
Rows from a View" was available last week to Metalink customers. The note
was also displayed in the daily headlines section of the Metalink.
That's why this information can be assumed as public knowledge and
DBAs/Developers which missed the note on Metalink should know this
vulnerability in order to avoid/mitigate the risk (if possible) whilst
waiting for a patch from Oracle.
After noticing the note, I informed Oracle secalert that releasing such
information on Metalink is not a wise idea. Oracle normally criticises
individuals and/or companies for releasing information about Oracle
vulnerabilities (like David Litchfield from NGSSoftware for releasing
information an ever not fixed bug in mod_plsql gateway). In this case, not
only Oracle released detailed information on the vulnerability; they also
included the working exploit code on the Metalink.
In an interview few months ago, the Oracle CSO stated: "I've known
customers to terminate contracts ... for releasing exploit code... you
might get applause from hackers... but business will not pay you to slit
their throats. With knowledge comes responsibility."
After my email, Oracle removed the note from Metalink.
More information about the VIM