Path: news.easynews.com!easynews!priapus.visi.com!news-out.visi.com!hermes.visi.com!newspeer.monmouth.com!kibo.news.demon.net!demon!btnet-peer0!btnet-peer!btnet!lnewspeer01.lnd.ops.eu.uu.net!lnewspost00.lnd.ops.eu.uu.net!emea.uu.net!not-for-mail From: "Niall Litchfield" Newsgroups: comp.databases.oracle.server References: <1018909953.3789.0.nnrp-08.9e984b29@news.demon.co.uk> <3CBB5EFC.43A50425@exesolutions.com> Subject: Re: 9iDB Security Hole? Date: Tue, 16 Apr 2002 08:40:55 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Lines: 25 Message-ID: <3cbbd589$0$238$ed9e5944@reading.news.pipex.net> NNTP-Posting-Host: host9.audit-commission.gov.uk X-Trace: 1018942857 reading.news.pipex.net 238 193.128.236.219 X-Complaints-To: abuse@uk.uu.net Xref: easynews comp.databases.oracle.server:143288 X-Received-Date: Tue, 16 Apr 2002 00:38:39 MST (news.easynews.com) "Daniel Morgan" wrote in message news:3CBB5EFC.43A50425@exesolutions.com... > And no one other than sys should be looking at sys.link$ anyway. This is the whole point of the thread. As described so far the use of LEFT OUTER JOIN in 9i means that any user with create session privilege can look at data from any table that exists in the database. Has someone filed a bug on this yet? This looks like a good reason to avoid the ANSI syntax for a while yet. -- Niall Litchfield Oracle DBA Audit Commission UK ***************************************** Please include version and platform and SQL where applicable It makes life easier and increases the likelihood of a good answer ******************************************