Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
Plaintext Password Vulnerabilitiy during Installation of Oracle HTMLDB
Details Oracle HTML DB is a rapid web application development tool for the Oracle database. Using only a web browser and limited programming experience, it is possible to develop and deploy professional-looking applications that are both fast and secure. During the manuell installation of HTMLDB the SYS password is logged in plaintext into the file install.lst. The SYS password should never be stored in a text file in clear text. Affected Products Oracle HTMLDB Patch Information Oracle fixed this issue with the patches from the critical patch update october 2005. Workaround Delete the file install.lst manually. Testcase Extract from install.lst: >> Is this a (1) New install or an (2) Upgrade? [1] >> What is your connect string (Enter for none)? [] ora902 >> What is your Oracle SYS password? [CHANGE_ON_INSTALL] mysecretpassword1 History 26-jan-2004 Oracle secalert was informed 27-jan-2004 Bug confirmed 13-apr-2005 Oracle published CPU April 2005 without informing Red-Database-Security that this bug is already fixed. 07-oct-2005 Red-Database-Security published this advisory © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle HTMLDB |