Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
Oracle JDeveloper Plaintext Passwords
Details The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml and settings.xml contain unencrypted database passwords. Example 1. Plaintext-Password in IDEConnections.xml <connection> <JDBC_PORT> 1521</JDBC_PORT> <ConnectionType> JDBC</ConnectionType> <HOSTNAME> picard</HOSTNAME> <DeployPassword> true</DeployPassword> <user> system</user> <ConnectionName> ConnectionAlex2</ConnectionName> <SID> ora10103</SID> <JdbcDriver> oracle.jdbc.driver.OracleDriver</JdbcDriver> <password> mysupersecretpassword1</password> <ORACLE_JDBC_TYPE> thin</ORACLE_JDBC_TYPE> </connection> 2. Plaintext-Password in XSQLConfig.xml <connection name="ConnectionAlex1"> <username> system</username> <password> mysupersecretpassword1</password> <dburl> jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))</dburl> <driver> oracle.jdbc.driver.OracleDriver</driver> </connection> 3. Plaintext-Password of OTN Account in settings.xml <Item> <Key> oracle.ideimpl.update.wizard.AuthInfo</Key> <Value class="oracle.ideimpl.update.wizard.AuthInfo"> <password> mysupersecretpassword1</password> <passwordRemembered> true</passwordRemembered> <userName> email@email.com</userName> </Value> </Item> Affected Products Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2 Patch Information Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink Note 311038 on your JDeveloper / DeveloperSuite Installation (normally your client PC). History 14-feb-2005 Oracle secalert was informed 14-feb-2005 Bug confirmed 12-jul-2005 Oracle published Oracle Critical Patch Update July 2005 12-jul-2005 Red-Database-Security published this advisory © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle HTMLDB |