Oracle Granted To PUBLIC
Versions: ALL

Overview
This page is dedicated to pulling together in one place examples of weaknesses and risk that exist in an Oracle Database following a default installation with Oracle Universal Installer (OUI) and DataBase Configuration Assistant (DBCA).

This listing is not an attempt to categorize every possible weakness that introduces risk, rather it is intended to serve as a guide, by category, to listings that either exist here in the DBSecWorx resources section or will be added to the site as time permits.

To keep this list from becoming tens of thousands of rows in length it will focus on those items with a profound security implication only.
Object Name Comments
Profiles
Default PROFILE The DEFAULT profile grants unlimited capabilities to every user. Letting any user/schema have this profile is irresponsible. Use the Profile's page here at DBSecWorx as a guide for how to avoid Ragnarök.
Roles
Connect After cleaning up the mess that was the original CONNECT role, with the advent of the Container Database Oracle messed it up again by adding a totally unnecessary and dangerous privilege: SET CONTAINER. This role should never be granted to any user.
Resource Unfortunately Oracle has never cleaned up the gross over-privileging in this role. This role should never be granted to any user/
DBA Unfortunately Oracle has never cleaned up the gross over-privileging in this role. This role should never be granted to any user/
Grant EXECUTE To Public
DBMS_PREPROCESSOR ???
UTL_CALL_STACK Do users with only the CREATE SESSION privilege need to be able to read call stack messages?
UTL_COMPRESS Do users with only the CREATE SESSION privilege need to be able to compress LOBs?
UTL_ENCODE Do users with only the CREATE SESSION privilege need to encode strings?
UTL_FILE Do users with only the CREATE SESSION privilege need to be able to write ad hoc data to physical files?
UTL_HTTP Do users with only the CREATE SESSION privilege need to be able to download websites into the database?
UTL_I18N Do users with only the CREATE SESSION privilege need to be able encode strings?
UTL_INADDR Do users with only the CREATE SESSION privilege need to be able interrogate IP addresses and host names?
UTL_MAIL Do users with only the CREATE SESSION privilege need to be able to email data out of the database?
UTL_RAW Do users with only the CREATE SESSION privilege need to convert strings to RAW?
UTL_REF  
UTL_SMTP Do users with only the CREATE SESSION privilege need to be able to email data out of the database?
UTL_TCP Do users with only the CREATE SESSION privilege need to be able to make ad hoc TCP/IP connections?
UTL_URL  
Grant SELECT To Public
ALL_SOURCE  
ALL_SOURCE_AE  
USER_SOURCE  
USER_SOURCE_AE  
U  
   
   
   
   
   
   
   
   
   
   
   

Related Topics
Base64 Exploit
Cast To RAW Exploit
NoSpaces Exploit
REPLACE Exploit
TRANSLATE Exploit
UTL_ENCODE
UTL_I18N
UTL_RAW
WRAP Exploit