Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Plaintext Password Vulnerabilitiy during Installation of Oracle HTMLDB

Name Plaintext Password Vulnerabilitiy during Installation of Oracle HTMLDB
Systems Affected Oracle HTMLDB
Severity Low Risk
Category Cross Site Scripting (CSS/XSS)
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 7 October 2005 (V 1.00)


Details
Oracle HTML DB is a rapid web application development tool for the Oracle database.
Using only a web browser and limited programming experience, it is possible to develop and deploy professional-looking applications that are both fast and secure.

During the manuell installation of HTMLDB the SYS password is logged in plaintext into the file install.lst.
The SYS password should never be stored in a text file in clear text.


Affected Products
Oracle HTMLDB

Patch Information
Oracle fixed this issue with the patches from the critical patch update october 2005.

Workaround
Delete the file install.lst manually.

Testcase
Extract from install.lst:

>> Is this a (1) New install or an (2) Upgrade? [1]
>> What is your connect string (Enter for none)? [] ora902
>> What is your Oracle SYS password? [CHANGE_ON_INSTALL] mysecretpassword1


History
26-jan-2004 Oracle secalert was informed
27-jan-2004 Bug confirmed
13-apr-2005 Oracle published CPU April 2005 without informing Red-Database-Security that this bug is already fixed.
07-oct-2005 Red-Database-Security published this advisory



2005 by Red-Database-Security GmbH - last update 03-nov-2005

Oracle HTMLDB

Oracle HTML DB is a rapid web application development tool for the Oracle database.

Using only a web browser and limited programming experience, you can develop and deploy professional-looking applications that are both fast and secure.