Hi
Oracle have now posted an advisory to their security alerts page on 17
april.
The URL is http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf
cheers
Pete Finnigan
In article <[EMAIL PROTECTED]>, Pete Finnigan
<[EMAIL PROTECTED]> writes
>Hi all
>
>I thought this list may be intere
Tested as a user with some privs (but not DBA or SELECT ANY TABLE) as below
SQL> select username, user_id, password from sys.dba_users;
select username, user_id, password from sys.dba_users
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQ
Hi Charles
The point is that I can see the dba_users view owned by SYS as a user
with only CREATE SESSION privilege. This is only possible because of the
bug in the ANSI outer join syntax. This bug allows access to any table
without any granted privileges to any user!
The example you show below
You don't need 9i or ansi syntax.
Connected to:
Oracle8i Enterprise Edition Release 8.1.6.0.0 - Production
With the Partitioning option
JServer Release 8.1.6.0.0 - Production
SQL> set serveroutput on size 100
SQL> sta users
SQL> select username, user_id, password from sys.dba_users
2 /
Hi all
I thought this list may be interested in this issue, apologies if its
known here already.
Oracle 9i includes the new ANSI outer join syntax. Oracle still supports
the old syntax but in the new syntax there is a serious security issue
that allows any user to view any data.
here is an exa
