Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle JDeveloper passes Plaintext Password

Name Oracle JDeveloper passes Plaintext Password
Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
Severity Low Risk
Category Information disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 12 July 2005 (V 1.00)
Oracle Vuln# AS09
Time to fix 148


Details
Starting an external program and passing the password as a parameter is unsecure. This is the easiest way to decrypt an encrypted password. Replace the sqlplus.exe with a fake version which stores the passwords in a local file.

JDeveloper starts sqlplus with the following parameter:
system/secretpw1@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))




Affected Products
Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2

Patch Information
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC).

Workaround
Do not start sqlplus from JDeveloper.


History
14-feb-2005 Oracle secalert was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory



2005 by Red-Database-Security GmbH - last update 03-nov-2005

Oracle HTMLDB

Oracle HTML DB is a rapid web application development tool for the Oracle database.

Using only a web browser and limited programming experience, you can develop and deploy professional-looking applications that are both fast and secure.