Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
Oracle JDeveloper passes Plaintext Password
Details Starting an external program and passing the password as a parameter is unsecure. This is the easiest way to decrypt an encrypted password. Replace the sqlplus.exe with a fake version which stores the passwords in a local file. JDeveloper starts sqlplus with the following parameter: system/secretpw1@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103))) Affected Products Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2 Patch Information Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC). Workaround Do not start sqlplus from JDeveloper. History 14-feb-2005 Oracle secalert was informed 14-feb-2005 Bug confirmed 12-jul-2005 Oracle published Oracle Critical Patch Update July 2005 12-jul-2005 Red-Database-Security published this advisory © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle HTMLDB |