Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0000418
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] K. Packagingmajorhave not tried2008-05-23 15:522009-03-18 11:02
ReporteralostaleView Statuspublic 
Assigned Tojpabloae 
PrioritynormalResolutionfixedFixed in Version
StatusclosedFix in branchFixed in SCM revision61
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseOracleJava version
OS VersionDatabase versionAnt version
Product VersionSCM revisionMP1 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0000418: Openbravo database schema has dba privileges

DescriptionThe Openbravo installation grants to the Oracle user housing the Openbravo schema (TAD by default) DBA privileges.

This is a security vulnerability because if hackers manage to get access to this user, they will gain control of the full database.

This is a particularly serious concern for those customers who deploy Openbravo in an Oracle database that houses other applications as well.
Steps To ReproduceConnect to Oracle and verify privileges.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 00001242.40 closedalostale Openbravo database schame has dba privileges 

-  Notes
(0000322)
alostale (manager)
2008-05-23 15:55

 The installer should create the user with the same privileges creation from files does.

Currently:
        grant create session to ${bbdd.user};
          grant alter session to ${bbdd.user};
          grant create table to ${bbdd.user};
          grant create procedure to ${bbdd.user};
          grant create trigger to ${bbdd.user};
          grant create view to ${bbdd.user};
          alter user ${bbdd.user} quota unlimited on users;
(0007878)
svnbot (reporter)
2008-06-19 17:47

 Repository: packaging
Revision: 61
Author: jpabloae
Date: 2008-06-19 17:47:42 +0200 (Thu, 19 Jun 2008)

Fixes issue 418: Openbravo database schema has dba privileges . Fixes issue 4035: out of cursors

---
U installer/trunk/demodata.patch
U installer/trunk/openbravo-only.xml
---

https://dev.openbravo.com/websvn/packaging/?rev=61&sc=1 [^]

- Issue History
Date Modified Username Field Change
2008-05-23 15:52 alostale New Issue
2008-05-23 15:52 alostale Assigned To => alostale
2008-05-23 15:52 alostale Issue generated from 0000124
2008-05-23 15:52 alostale Relationship added related to 0000124
2008-05-23 15:55 alostale Note Added: 0000322
2008-05-23 15:56 alostale Project Openbravo ERP => @5@
2008-05-23 16:02 alostale Assigned To alostale => jpabloae
2008-05-23 17:49 jpabloae Status new => acknowledged
2008-05-23 17:49 jpabloae version 2.35 =>
2008-05-23 17:49 jpabloae Summary Openbravo database schame has dba privileges => Openbravo database schema has dba privileges
2008-05-23 18:16 alostale Issue Monitored: alostale
2008-06-12 01:50 jpabloae Category C. Security => Installer
2008-06-19 17:47 svnbot Checkin
2008-06-19 17:47 svnbot Note Added: 0007878
2008-06-19 17:47 svnbot Status acknowledged => resolved
2008-06-19 17:47 svnbot Resolution open => fixed
2008-06-19 17:47 svnbot svn_revision => 61
2008-11-13 07:02 jpabloae Status resolved => closed
2008-11-25 21:41 pjuvara Sticky Issue No => Yes
2008-11-25 21:43 pjuvara Project @5@ => Openbravo ERP
2008-11-25 21:45 pjuvara Category Installer => K. Packaging
2008-11-25 21:47 pjuvara Sticky Issue Yes => No
2009-03-18 11:02 anonymous sf_bug_id 0 => 2691312

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker