Products
Repscan 2008
PLSQL-Scanner
Hedgehog Enterpise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Videos
Scripts

News & Events
Events
News

Company
Blog
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Insert / Update / Delete Data via Views

Name Insert / Update / Delete Data via Views [DB17]
Systems Affected Oracle 8i - 10g Rel. 2
Severity High Risk
Category Bypass Access Control
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE
Advisory 17 July 2007 (V 1.00)


Details
Updates, deletes and inserts are possible via specially crafted views without having the right privileges.


Samples
delete from (specially crafted view)
insert into (specially crafted view)
update (specially crafted view)

Testcases will be released if we can verify that the problem is really fixed.

Patch Information
Apply the patches for Oracle CPU July 2007.


History
24-oct-2006 Oracle secalert was informed
25-oct-2006 Bug confirmed
18-jul-2007 Oracle published CPU July 2007 [DB17]
18-jul-2007 Advisory published


© 2007 by Red-Database-Security GmbH - last update 17-jul-2007