|
ANSI join syntax bypasses object privileges
April 24, 2002
To determine if you are vulnerable to this attack, download AppDetective
for Oracle from http://www.appsecinc.com/products/appdetective/oracle
Risk level: High
Summary:
Oracle9i added support for ANSI compliant joins to meet the ANSI SQL99
standard. Due to a bug in the query processor in Oracle9i Release 1,
queries which use the ANSI compliant join syntax bypass the access
control mechanism in Oracle. This allows a non-privileged account to
access any data in the database.
Details:
In Oracle9i, the query processor has been enhanced to be compliant with
several features of the ANSI/ISO SQL99 standard. One of the most notable
enhancements is support for ANSI compliant joins.
A serious security hole exists in Oracle9i Release 1 with support for
the new ANSI compliant join syntax. When a query is written using the
ANSI outer join syntax, Oracle object privileges are bypassed. For
example, a user that does not have privileges to select from the
DBA_USERS table, can execute the following statement:
SELECT A.USERNAME, A.PASSWORD FROM SYS.DBA_USERS A LEFT OUTER JOIN
SYS.DBA_USERS B ON B.USERNAME = A.USERNAME
This vulnerability allows a non-privileged user to view any data in the
database.
Fix:
There is no work around for this security issue. If you are using Oracle
9.0.1, you must install the patch or upgrade to Oracle 9.0.2 (which is
not yet available).
Patches are being made available from Oracle. To lookup whether a patch
is available for your platform, reference the bug fix number 2121935
from the website http://metalink.oracle.com.
From this web page, click the "Patches" button to get to the patches Web
page. Enter the bug fix number 2121935 and click the "Submit" button.
|
