Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle JDeveloper Plaintext Passwords

Name Oracle JDeveloper Plaintext Passwords
Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
Severity Low Risk
Category Information disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 13 July 2005 (V 1.00)
Oracle Vuln# AS10
Time to fix 148


Details
The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml and settings.xml contain unencrypted database passwords.


Example

1. Plaintext-Password in IDEConnections.xml

<connection>
<JDBC_PORT>
1521</JDBC_PORT>
<ConnectionType>
JDBC</ConnectionType>
<HOSTNAME>
picard</HOSTNAME>
<DeployPassword>
true</DeployPassword>
<user>
system</user>
<ConnectionName>
ConnectionAlex2</ConnectionName>
<SID>
ora10103</SID>
<JdbcDriver>
oracle.jdbc.driver.OracleDriver</JdbcDriver>
<password>
mysupersecretpassword1</password>
<ORACLE_JDBC_TYPE>
thin</ORACLE_JDBC_TYPE>
</connection>

2. Plaintext-Password in XSQLConfig.xml

<connection name="ConnectionAlex1">
<username>
system</username>
<password>
mysupersecretpassword1</password>
<dburl>
jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))</dburl>
<driver>
oracle.jdbc.driver.OracleDriver</driver>
</connection>

3. Plaintext-Password of OTN Account in settings.xml
<Item>
<Key>
oracle.ideimpl.update.wizard.AuthInfo</Key>
<Value class="oracle.ideimpl.update.wizard.AuthInfo">
<password>
mysupersecretpassword1</password>
<passwordRemembered>
true</passwordRemembered>
<userName>
email@email.com</userName>
</Value>
</Item>

Affected Products
Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2

Patch Information
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink Note 311038 on your JDeveloper / DeveloperSuite Installation (normally your client PC).


History
14-feb-2005 Oracle secalert was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory



2005 by Red-Database-Security GmbH - last update 03-nov-2005

Oracle HTMLDB

Oracle HTML DB is a rapid web application development tool for the Oracle database.

Using only a web browser and limited programming experience, you can develop and deploy professional-looking applications that are both fast and secure.