%META:TOPICPARENT{name="VOSIndex"}% ---++ Virtuoso Default SPARQL 1.1 related Endpoint Vulnerability A vulnerability scenario has been discovered in the default /sparql endpoint of prior Virtuoso 7.2 releases, whereby despite defaulting to read-only access (using coarse-grained SQL ROLE based Security) certain SPARQL 1.1 INSERT & DELETE operations are possible, contrary to the perception relayed by the following error message: Virtuoso 42000 Error SR186:SECURITY: No permission to execute procedure DB.DBA.SPARQL_DELETE_DICT_CONTENT with user ID {some-user-id}, group ID {some-sql-role-account-id}. This issue has been resolved in the latest 7.2.4+ (3217+) build releases and available from the [[http://virtuoso.openlinksw.com/download/][Virtuoso Download]] page. For those running earlier releases the following SQL commands immediately secure existing instances, courtesy of Virtuoso's finer-grained Graph Security layer: DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 1); -- nobody has no access to private named graphs DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 1, 0); -- 'nobody' can only read public named graphs Note this workaround has performance impact and can be disabled following upgrade to the new 7.2.4+ (3217+) binary. If you simply want to secure a specific named graph, you can issue the following: DB.DBA.RDF_GRAPH_GROUP_INS ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','{named-graph-iri}') ;