Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?

Re: 9iDB Security Hole?

From: Howard Rogers <Howard.Rogers_at_oracle.com>
Date: Thu, 18 Apr 2002 10:36:24 +1000
Message-ID: <Gwov8.42$ao6.237@news.oracle.com> 





Setting the compatible parameter has no effect (didn't think it would,
because it's designed to protect against the use of *structural* new
features, not syntax new features).



For example, setting it to 8.1.0 means you can't do this:



SQL> create undo tablespace blah datafile 'C:\blah01.dbf' size 5m;
create undo tablespace blah datafile 'C:\blah01.dbf' size 5m
*


ERROR at line 1:


ORA-00406: COMPATIBLE parameter needs to be 9.0.0.0.0 or greater



But it doesn't stop you using the syntax, you'll notice -just stops you
creating the new structure itself.



Similarly, when you set compatible=8.1.0, the outer join syntax remains
fully functional, because it's not dependent on any new structural features.
So, for example:



SQL> connect / as sysdba


Connected.


SQL> show parameter compatible


NAME                                 TYPE        VALUE
------------------------------------ ----------- ---------------------------
---
compatible                           string      8.1.0


SQL> connect scott/tiger


Connected.


SQL> select count(*) from emp left outer join dept on
emp.deptno=dept.deptno;



  COUNT(*)





        14



And if the syntax is still supported, the bug is still exploitable by some
nefarious user. Until it gets patched, there's nothing you can do about it
as far as I can tell.



(Not sure why Niall couldn't get an 8.1-compatible database open. Just make
sure you switch off db_cache_size and use db_block_buffers; sga_max_size
mustn't be set; undo_management = manual; undo_retention not set, and it
seems to work OK. There might have been some others I had to unset, too, but
these are the ones that most spring to mind).



Regards


HJR


"Todd M. Helfter" <tmh_at_jumpgate.cc.purdue.edu> wrote in message
news:a9jk9h$66b$1_at_mozo.cc.purdue.edu...


>

> Can anyone think of an init.ora parameter to disable all users from having

access


> to the security hole?  Something like "TURN_OFF_SQL92_BLAH_BLAH" or would

setting


> compatibility to 8.1.7 have the same effect?

>

> --

> Todd M. Helfter

> Database Analyst/Programmer

> Purdue University

> tmh_at_purdue.edu

Received on Wed Apr 17 2002 - 19:36:24 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US