Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Fact sheet about Oracle Mod_PLSQL passwords


Algorithm

MODPLSQL / MOD_PLSQL passwords are NOT encrypted only obfuscated.
  • Passwords starting with a "!" are BASE64 encoded
  • Passwords starting with a "@" are obfuscated with a proprietary obfuscation algorithm (dadTool.pl)
    (Oracle Application Server 10g only)
  • Password without leading "!" or "@" are not encrypted


Location of modplsql password

  • $ORACLE_HOME/Apache/modplsql/wdbsvr.app (Webdb, iAS 1.0.x, iAS 9.0.2, Oracle HTTP Server)
  • $ORACLE_HOME/Apache/modplsql/dads.conf (OAS 10g)

How to change an Oracle modplsql password?

  • Via Web interface
  • Manual in file dads.conf or wdbsvr.app
After changing a password manually in the text files it is possible to obfuscate the password with BASE64 (OHS, IAS 1.x/9.0.2) or the Oracle tool dadobj.exe (OAS 10g only)


Decryption

Remove the leading ! and use a BASE64 decoder


Example

############dads.conf#################
<Location /pls/portal>
SetHandler pls_handler
Order allow,deny
Allow from All
AllowOverride None
PlsqlDatabaseUsername portal
PlsqlDatabasePassword @BSzj+6DI4Hc6Cpz64yGcrA6Abvg3+pKfUg==
PlsqlDatabaseConnectString cn=asdb,cn=oraclecontext NetServiceNameFormat
PlsqlNLSLanguage AMERICAN_AMERICA.UTF8
PlsqlAuthenticationMode SingleSignOn
PlsqlSessionCookieName portal
PlsqlDocumentTablename portal.wwdoc_document
PlsqlDocumentPath docs
PlsqlDocumentProcedure portal.wwdoc_process.process_download
PlsqlDefaultPage portal.home
PlsqlPathAlias url
PlsqlPathAliasProcedure portal.wwpth_api_alias.process_download
</Location>
############dads.conf#################

############wdbsvr.app################
;
[WVGATEWAY]
defaultDAD = simpledad
administrators = all
adminPath = /admin_/
;upload_as_long_raw =
;upload_as_blob =
;debugModules =
;
[DAD_simpledad]
connect_string = sample-tcp
password = sample
username = sample
default_page = sample.home
document_table = sample.wwdoc_document
document_path = docs
document_proc = sample.wwdoc_process.process_download
upload_as_long_raw =
upload_as_blob = *
reuse = Yes
connmax = 10
enablesso = No
;pathalias =
;pathaliasproc =
;name_prefix =
;always_describe =
;after_proc =
;before_proc =
############wdbsvr.app################


2005 by Red-Database-Security GmbH - last update 04-nov-2005

Oracle Patch Policy

Vulnerability Fixing Order of Oracke Vulnerabilities

  • Main line of Code
  • New Products (e.g. 10g Rel. 2)
  • Patchsets for older products (e.g. 9.2.0.7)
  • Critical Patch Update

More information available on Oracle OTN:

Security Vulnerability Fixing Policy and Process