Bug is fixed in 9.0.1.3 (or was it .2, I forget), and is not present in 9.2 (9iR2). A backport for 9.0.1.1 is available as I recall.
Robert G. Freeman - Oracle OCP Oracle Database Architect CSX Midtier Database Administration Author Oracle9i RMAN Backup and Recovery (Oracle Press - Oct 2002) Oracle9i New Features (Oracle Press) Mastering Oracle8i (Sybex) Clark Griswold: Eddie, has anyone ever told you that you're bad luck? Cousin Eddie: Those were my mother's dying words. But I guess if your body's covered in third degree burns, and your foot's caught in a bear trap, you tend to start talkin' crazy. -----Original Message----- Sent: Friday, July 19, 2002 2:58 PM To: Multiple recipients of list ORACLE-L Is this still a problem in 9iR2? I do not have it installed yet :( - Kirti > -----Original Message----- > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > Sent: Friday, July 19, 2002 12:05 PM > To: Multiple recipients of list ORACLE-L > Subject: Re: security bug - join syntax > > Thanks Linda. > > Usenet seems to be a little behind the curve though. > > Jonathan Lewis discovered this and posted on the list > ( you saw it here first! ) over a month ago. > > Jared > > > > > > [EMAIL PROTECTED] > Sent by: [EMAIL PROTECTED] > 07/19/2002 09:23 AM > Please respond to ORACLE-L > > > To: Multiple recipients of list ORACLE-L > <[EMAIL PROTECTED]> > cc: > Subject: Re: security bug - join syntax > > > > This just in from comp.databases.oracle.server. > > See metalink bug 2121935. > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) > allows you to view data from tables on which you have no > privilege. For example, try this COMPLETE script: > > connect / as sysdba > create user us1 identified by us1; > grant create session to us1; > > connect us1/us1 > > select userid, password > from > sys.link$ cross join dual > ; > > > > > "Adams, Matthew (GEA, MABG, 088130)" <[EMAIL PROTECTED]>@fatcity.com > on 07/19/2002 11:04:17 AM > > Please respond to [EMAIL PROTECTED] > > > > Sent by: [EMAIL PROTECTED] > > > To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> > cc: > > > > > Anybody remember the bug number for the security issue > with the new join syntax in 9i? > > ---- > Matt Adams - GE Appliances - [EMAIL PROTECTED] > The ozone layer or cheese in a spray can. > Don't make me choose. > > > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Freeman, Robert INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
