Plaintext Password Vulnerabilitiy during Installation of Oracle HTMLDB
Oracle HTML DB is a rapid web application development tool for the Oracle database.
Using only a web browser and limited programming experience, it is possible to develop and deploy professional-looking applications that are both fast and secure.
During the manuell installation of HTMLDB the SYS password is logged in plaintext into the file install.lst.
The SYS password should never be stored in a text file in clear text.
Oracle fixed this issue with the patches from the critical patch update october 2005.
Delete the file install.lst manually.
Extract from install.lst:
>> Is this a (1) New install or an (2) Upgrade? 
>> What is your connect string (Enter for none)?  ora902
>> What is your Oracle SYS password? [CHANGE_ON_INSTALL] mysecretpassword1
26-jan-2004 Oracle secalert was informed
27-jan-2004 Bug confirmed
13-apr-2005 Oracle published CPU April 2005 without informing Red-Database-Security that this bug is already fixed.
07-oct-2005 Red-Database-Security published this advisory
© 2005 by Red-Database-Security GmbH - last update 03-nov-2005