[12417] in bugtraq
Oracle 8i Security
daemon@ATHENA.MIT.EDU (Jonathan A. Zdziarski)
Wed Nov 3 15:21:58 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSI.4.05L.9911021252120.18105-100000@cartman.netrail.net>
Date: Tue, 2 Nov 1999 12:54:35 -0500
Reply-To: "Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
From: "Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is probably present in other versions of Oracle as well, but I
noticed when fatfingering a table that if you try to create a referrential
integrity constraint on someone else's table, it presents the user with a
little too much information. If the table does not exist in the other
user's schema, you get an 'ORA-00924: table or view does not exist',
however if the table exists and you don't have permission to reference it,
you get a different error (something similar to 'invalid access').
This can be used to find out what tables another schema owns without
having access to. It's not a big deal for our implementation, but it
could be on others.
Thank you,
Jonathan A. Zdziarski
Sr. Systems Administrator
Netrail, inc.
888.NET.RAIL x240
http://www.netrail.net
