Paul Wright has written an excellent paper on an interesting way to attack Oracle using external tables.

It just goes to show that any permission can be abused in the right circumstances. I’m still amazed that UTL_FILE is still granted to PUBLIC by default.

Anyways, great work, Paul!