Is this on 9i databases or is 8 involved? Ruth ----- Original Message ----- To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Tuesday, April 16, 2002 7:33 AM
> This just in from comp.databases.oracle.server. > > See metalink bug 2121935. > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) > allows you to view data from tables on which you have no > privilege. For example, try this COMPLETE script: > > connect / as sysdba > create user us1 identified by us1; > grant create session to us1; > > connect us1/us1 > > select userid, password > from > sys.link$ cross join dual > ; > > > > Worse still, if you have the privilege to create views > then this loophole allows you to seek and destroy > ANY DATA in the database that you might want to. > > The bug is fixed in 9iR2. I didn't see any note > about a backport, or a security alert on OTN. > > Conclusion: > > 9.0.1 should not be in use on production system > until Oracle supplies a fix. > > > > Jonathan Lewis > http://www.jlcomp.demon.co.uk > > Author of: > Practical Oracle 8i: Building Efficient Databases > > Next Seminar - Australia - July/August > http://www.jlcomp.demon.co.uk/seminar.html > > Host to The Co-Operative Oracle Users' FAQ > http://www.jlcomp.demon.co.uk/faq/ind_faq.html > > > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Jonathan Lewis > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ruth Gramolini INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
