This one has been done to death on the newsgroup, but just in case you haven't seen it, there is a security hole in 9i when using the new ANSI join syntax. Consider the following example:
create user demo identified by demo; grant create session To us1; connect demo/demo
Now at this point, the DEMO user should only be able to query those tables accessible to PUBLIC. For example,
SQL> select * from dba_users;
select * from dba_users
*
ERROR at line 1:
ORA-00942: table or view does not exist
But as soon as you add in the newly supported ANSI join syntax, privileges appear to be bypassed.
select a.* from dba_users a cross join dual (all rows appear)
Of more concern, is that (unrelated to this bug) some joins of course allow updates/deletes etc. So a carefully created join using the new syntax can be used to destroy all sorts of things. (A cross join to SYS.OBJ$ would be the obvious candidate to do maximum damage
This listed as bug 2121935 which is fxed in 9i.2 and also a patch (of the same number) is available for some platforms on 9.0.1.3