Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Modify Data via Inline Views

Name Modify Data via Inline Views (8107967) [DB09]
Systems Affected Oracle 9i - 10g Rel. 2
Severity High Risk
Category Bypass Access Control
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2006-5337
Advisory 18 October 2006 (V 1.01)


Details
Updates, deletes and inserts are possible with least-privilege via inline views. A user with create session only can insert/update/delete data.


Samples
delete from (specially crafted inline view)
insert into (specially crafted inline view)
update (specially crafted inline view)

Patch Information
Apply the patches for Oracle CPU October 2006.


History
24-jul-2006 Oracle secalert was informed about a variant of the create view bug.
18-oct-2006 Oracle published CPU October 2006 [DB09]
18-oct-2006 Advisory published
23-oct-2006 CVE added


2006 by Red-Database-Security GmbH - last update 23-oct-2006