<docbook><section><title>VirtDefaultSPARQLEndpointSPARULVulnerability</title><bridgehead class="http://www.w3.org/1999/xhtml:h2"> Virtuoso Default SPARQL 1.1 related Endpoint Vulnerability</bridgehead>
<para>A vulnerability scenario has been discovered in the default /sparql endpoint of prior Virtuoso 7.2 releases, whereby despite defaulting to read-only access (using coarse-grained SQL ROLE based Security) certain SPARQL 1.1 INSERT &amp; DELETE operations are possible, contrary to the perception relayed by the following error message: </para>
<programlisting>Virtuoso 42000 Error SR186:SECURITY: No permission to execute procedure DB.DBA.SPARQL_DELETE_DICT_CONTENT with user ID {some-user-id}, group ID {some-sql-role-account-id}.
</programlisting><para>This issue has been resolved in the latest 7.2.4+ (3217+) build releases and available from the <ulink url="http://virtuoso.openlinksw.com/download/">Virtuoso Download</ulink> page.</para>
<para>For those running earlier releases the following SQL commands immediately secure existing instances, courtesy of Virtuoso&#39;s finer-grained Graph Security layer: </para>
<programlisting>DB.DBA.RDF_DEFAULT_USER_PERMS_SET (&#39;nobody&#39;, 0, 1); -- nobody has no access to private named graphs
DB.DBA.RDF_DEFAULT_USER_PERMS_SET (&#39;nobody&#39;, 1, 0); -- &#39;nobody&#39; can only read public named graphs
</programlisting><para>Note this workaround has performance impact and can be disabled following upgrade to the new 7.2.4+ (3217+) binary.
If you simply want to secure a specific named graph, you can issue the following: </para>
<programlisting>DB.DBA.RDF_GRAPH_GROUP_INS
(&#39;http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs&#39;,&#39;{named-graph-iri}&#39;)
;
</programlisting></section></docbook>