Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Insert / Update / Delete Data via Views

Name Insert / Update / Delete Data via Views [DB17]
Systems Affected Oracle 8i - 10g Rel. 2
Severity High Risk
Category Bypass Access Control
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE
Advisory 17 July 2007 (V 1.00)


Details
Updates, deletes and inserts are possible via specially crafted views without having the right privileges.


Samples
delete from (specially crafted view)
insert into (specially crafted view)
update (specially crafted view)

Testcases will be released if we can verify that the problem is really fixed.

Patch Information
Apply the patches for Oracle CPU July 2007.


History
24-oct-2006 Oracle secalert was informed
25-oct-2006 Bug confirmed
18-jul-2007 Oracle published CPU July 2007 [DB17]
18-jul-2007 Advisory published


2007 by Red-Database-Security GmbH - last update 17-jul-2007