70 lines
1.7 KiB
Plaintext
70 lines
1.7 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Some Oracle packages contain powerful SYS-owned functions that can be used to perform malicious operations. For instance, ``++DBMS_SYS_SQL.PARSE_AS_USER++`` can be used to execute a statement as another user.
|
|
|
|
|
|
Most programs do not need those functions and this rule helps identify them in order to prevent security risks.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,sql]
|
|
----
|
|
DECLARE
|
|
c INTEGER;
|
|
sqltext VARCHAR2(100) := 'ALTER USER system IDENTIFIED BY hacker'; -- Might be injected by the user
|
|
BEGIN
|
|
c := SYS.DBMS_SYS_SQL.OPEN_CURSOR(); -- Noncompliant
|
|
|
|
-- Will change 'system' user's password to 'hacker'
|
|
SYS.DBMS_SYS_SQL.PARSE_AS_USER(c, sqltext, DBMS_SQL.NATIVE, UID); -- Non-Compliant
|
|
|
|
SYS.DBMS_SYS_SQL.CLOSE_CURSOR(c); -- Noncompliant
|
|
END;
|
|
/
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
|
|
* CWE - https://cwe.mitre.org/data/definitions/269[CWE-269 - Improper Privilege Management]
|
|
* CWE - https://cwe.mitre.org/data/definitions/270[CWE-270 - Privilege Context Switching Error]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Do not use the {0} package.
|
|
|
|
|
|
=== Parameters
|
|
|
|
.packagesToDetect
|
|
****
|
|
|
|
----
|
|
DBMS_SYS_SQL,DBMS_BACKUP_RESTORE,DBMS_LOB,DBMS_NAMESPACE,DBMS_SCHEDULER,DBMS_RANDOM,EMD_SYSTEM,UTL_FILE,UTL_HTTP,UTL_SMTP,UTL_TCP
|
|
----
|
|
|
|
List of packages that should be detected
|
|
****
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 24 May 2013, 12:12:26 Dinesh Bolkensteyn wrote:
|
|
not enabled by default?
|
|
|
|
=== on 24 May 2013, 12:26:49 Fabrice Bellingard wrote:
|
|
Indeed Dinesh!
|
|
|
|
endif::env-github,rspecator-view[]
|