lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Apr 13 15:31:49 2006
From: jim.richards at dot.state.wi.us (Richards, Jim)
Subject: Recall: Oracle read-only user can	insert/up
	date/delete data

At a previous company I sysadmined at,  I had just finished installing the
rightfax server,  with outlook integration (or maybe ccmail I forget),  but
anyhow,  an email/fax came out to all of our dealers and customers stating
that our new product was slightly delayed due to something.  The VP of sales
apparently hit reply-to-all and said "If they only realized it was totally
f*cked due to some giant problem in the hardware design, and it would likely
never function as advertised, blah blah"

I have never seen a more frightened look on anyone as he ran into my office
yelling "pull the f*cking plug!  Quick!!!!!!"

It had already emailed and faxed to hundreds of people...

-----Original Message-----
From: Michael Holstein [mailto:michael.holstein@...ohio.edu]
Sent: Thursday, April 13, 2006 8:11 AM
To: Mike Owen
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Recall: Oracle read-only user can
insert/update/delete data


> In my experience, it doesn't even work in an Exchange environment. The
> user gets a message that the message should be recalled, but the
> original is still there, even if it hasn't been read yet. I've heard
> people say that at one time it would auto-delete the message if it
> hadn't been read, but I've never seen that.

It does, provided you read the "recall" message first -- but since 
Outlook (by default) displays in reverse chronological order, and most 
people read email in the order received, it does little good.

Back when I was involved in Exchange administration, I can't tell you 
how many times I had to stop services and run exmerge against the store 
to clean out messages that somebody accidently sent to a distribution list.

That .. and all the people that got embarassed due to incorrect use of 
"reply-all" ;)

~Mike.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists