Pete Finnigan's Oracle Security Weblog

I saw Robert Vollman's post to his blog titled "UTL_HTTP" and decided that it sounded interesting enough for a look. UTL_HTTP is one of the age old built-in database PL/SQL packages that show up in lists of security issues. Why is this you may ask? - simply because of the fact that it is by default available to any database user to use. The script who_can_access.sql can be used to check which database users and roles can access this package:-


SQL> @c:\petefinnigan.com\who_can_access.sql

who_can_access: Release 1.0.3.0.0 - Production on Mon Aug 15 21:47:36 2005
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

NAME OF OBJECT TO CHECK [USER_OBJECTS]: UTL_HTTP
OWNER OF THE OBJECT TO CHECK [USER]: SYS
OUTPUT METHOD Screen/File [S]: S
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:
EXCLUDE CERTAIN USERS [N]:
USER TO SKIP [TEST%]:

Checking object => SYS.UTL_HTTP
====================================================================


Object type is => PACKAGE (TAB)
Privilege => EXECUTE is granted to =>
Role => PUBLIC (ADM = NO)

PL/SQL procedure successfully completed.


For updates please visit /tools.htm

SQL>


As we can see on this sample database execute privilege has been granted to PUBLIC.

Robert shows a very nice example of how stock quotes can be extracted from Yahoo Finance and inserted into the database using this package. I liked his example as it shows a real world case of how you can access external data and read it in. Remember that this package can also be used in the opposite direction and data can be extracted from the database. Also it can be used to load and run hacker SQL or PL/SQL scripts that are stored on an external web site. Beware of default privileges and useful functionality.