This is fixed in 9.0.1.3. I have verified it.
-----Original Message-----
Sent: Wednesday, July 03, 2002 12:43 PM
To: Multiple recipients of list ORACLE-L
Cutting and pasting from an old post: by Jonathan Lewis:
The upshot of it seems to be that anyone who can get an sql session can look
at
any data, and given 'create view' as well can change data at will. You may
be
able to use the database in production, but only if your users can't access
it
directly.
I've not tested it myself, but it should still be on metalink.
_____________________________________________________________________
This just in from comp.databases.oracle.server.
See metalink bug 2121935.
Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
allows you to view data from tables on which you have no
privilege. For example, try this COMPLETE script:
connect / as sysdba
create user us1 identified by us1;
grant create session to us1;
connect us1/us1
select userid, password
from
sys.link$ cross join dual
;
Worse still, if you have the privilege to create views
then this loophole allows you to seek and destroy
ANY DATA in the database that you might want to.
The bug is fixed in 9iR2. I didn't see any note
about a backport, or a security alert on OTN.
Conclusion:
9.0.1 should not be in use on production system
until Oracle supplies a fix.
_____________________________________________________________________
With apologies for the mangled quick quote.
Simon Anderson
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Toepke, Kevin M
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
