Re: Oracle 9i DB Security Hole

Sybrand,
As you often recommend, a search of Google for Security and 9i on the Oracle groups will show a reported bug that can, in some circumstances, allow users access to tables for which no privileges have been granted( in fact to any table)  ...IIRC,it involves use of the new ANSI compliant join syntax... At this time there are 33 threads about this issue..

Sybrand Bakker <postbus_at_sybrandb.demon.nl> wrote:

>On 17 Apr 2002 09:37:18 -0700, mfowler_at_dot.co.pima.az.us (m. fowler)
>wrote:
>
>>I think the 'bug' can be summarized thus: any user has read/write
>>access to the data dictionary and any other user data. This can be
>>rephrased like this: there is no security within the 9.0.1 database.
>>The implications of this would seem to be rather profound.
>
>
>any user has read/write
>access to the data dictionary
>
>So what? Do you know of any other mechanism in Oracle to update the
>dictionary for you?
>
>
>and any other user data ....
>there is no security within the 9.0.1 database.
>
>Could you please provide at least *some* proof? Obviously you can't.
>
>And if you can demonstrate this, why don't you get in touch with
>Oracle on this issue? Or do you prefer to flame Oracle in public? That
>would make you a coward, don't you think?
>Or do you just like to be sued by Oracle for spreading such slander?

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World!  Check out our new Unlimited Server. No Download or Time Limits! -----== Over 80,000 Newsgroups - 19 Different Servers! ==----- Received on Wed Apr 17 2002 - 12:30:39 CDT