Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?

Re: 9iDB Security Hole?

From: Howard J. Rogers <dba_at_hjrdba.com>
Date: Wed, 17 Apr 2002 05:42:48 +1000
Message-ID: <a9huuq$in1$1@lust.ihug.co.nz> 





I saw no indication of a back-port, but maybe Pete can correct me on that.



It's already happened on this newsgroup on the very same subject, so it's
not that surprising: the implications of the bug are not obvious to everyone
until you spell it out. I am guessing that the bug report didn't raise alarm
bells because it reads as though it merely allows inconvenient access to EMP
tables and the like. Someone didn't realise that it meant you could also
wipe parts of the data dictionary, I think.



Regards


HJR


--
-----------------------------------------------
Resources for Oracle : http://www.hjrdba.com
===============================

"Connor McDonald" <connor_mcdonald_at_yahoo.com> wrote in message
news:3CBC71AE.6037_at_yahoo.com...


> Jonathan Lewis wrote:

> >

> > In fact, there is a bug, which I couldn't find

> > last night - 2121935, dated December 2002 !!!

> >

> > Any ANSI join is a problem.

> >

> > But this isn't a reason for avoid ANSI syntax,

> > it's a reason for not migrating a production

> > system to 9.0.1

> >

> > --

> > Jonathan Lewis

> > http://www.jlcomp.demon.co.uk

> >

> > Author of:

> > Practical Oracle 8i: Building Efficient Databases

> >

> > Next Seminar - Australia - July/August

> > http://www.jlcomp.demon.co.uk/seminar.html

> >

> > Host to The Co-Operative Oracle Users' FAQ

> > http://www.jlcomp.demon.co.uk/faq/ind_faq.html

> >

> > Niall Litchfield wrote in message

> > <3cbbd589$0$238$ed9e5944_at_reading.news.pipex.net>...

> > >"Daniel Morgan" <damorgan_at_exesolutions.com> wrote in message

> > >news:3CBB5EFC.43A50425_at_exesolutions.com...

> > >> And no one other than sys should be looking at sys.link$ anyway.

> > >

> > >This is the whole point of the thread. As described so far the use of

LEFT


> > >OUTER JOIN in 9i means that any user with create session privilege can

look


> > >at data from any table that exists in the database.

> > >

> > >Has someone filed a bug on this yet? This looks like a good reason to

avoid


> > >the ANSI syntax for a while yet.

> > >

>


> Yeh - its not really the bug thats inexcusable, its the December date on

> the bug...

>


> Pete/Howard - No alert?, no backport? No-one there trying to keep this

> under the covers are they :-)

>


> --

> ==============================

> Connor McDonald

>


> http://www.oracledba.co.uk

>


> "Some days you're the pigeon, some days you're the statue..."



Received on Tue Apr 16 2002 - 14:42:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US