Products
Repscan 2008
PLSQL-Scanner
Hedgehog Enterpise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Videos
Scripts

News & Events
Events
News

Company
Blog
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Modify Data via Inline Views

Name Modify Data via Inline Views (8107967) [DB09]
Systems Affected Oracle 9i - 10g Rel. 2
Severity High Risk
Category Bypass Access Control
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2006-5337
Advisory 18 October 2006 (V 1.01)


Details
Updates, deletes and inserts are possible with least-privilege via inline views. A user with create session only can insert/update/delete data.


Samples
delete from (specially crafted inline view)
insert into (specially crafted inline view)
update (specially crafted inline view)

Patch Information
Apply the patches for Oracle CPU October 2006.


History
24-jul-2006 Oracle secalert was informed about a variant of the create view bug.
18-oct-2006 Oracle published CPU October 2006 [DB09]
18-oct-2006 Advisory published
23-oct-2006 CVE added


© 2006 by Red-Database-Security GmbH - last update 23-oct-2006