Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re[2]: security problem with 8i

Re[2]: security problem with 8i

From: <dgoulet_at_vicr.com>
Date: Wed, 18 Jul 2001 09:16:31 -0700
Message-ID: <F001.0034D9A0.20010718092529@fatcity.com>

Brian,

    Humm, let me guess, SYSTEM right??? Some old concepts die so hard. Oracle 5 and earlier did not understand the idea of tablespaces, but had partitions with the system partition being the original and prime one. Now one could create other partitions, but that was 'risky' at best whereas Oracle provided a canned way to add a datafile to the system partition!!!

Dick Goulet

____________________Reply Separator____________________
Author: "Brian McGraw" <brian.mcgraw_at_infinity-insurance.com>
Date:       7/18/2001 8:56 AM

Ah, War stories...

Reminds me (somewhat) of a company that I consulted, that had been suddently abandoned by its DBA in November, 1999 - anyone remember the Y2K panic??

They couldn't explan the CPU slowdown and lack of IO throughput. So I went on site, and their DBA with 5 years of experience had exactly 3 tablespaces in the system: TEMP, RBS, and SYSTEM. System was > 2GB and was composed of about 25 datafiles. Anyone care to guess where all of the db objects lived???

It was a production system, BTW. It's nice to feel like a miracle-worker sometimes. : )

Brian

Rachel Carmichael wrote:

> I would doubt he's joking. I've had simular experiences....
>
> transferred to another department within the same company. Get a call from
> my old boss "our dba is out sick, we HAVE to have this done today, this is a
> highly secured system you have to help and make the changes from this pc"
>
> I go there, cannot log into the database with the username and password he
> gives me. We call the dba (who was really sick), apologize and ask for the
> username and password -- same as what I had. Still does not work. I stop,
> think and say "let me try something"
>
> and log in as system/manager
>
> I do what they ask me to, then take my old boss aside and explain (gently)
> that he has a security hole in his "highly secured" system that I could
> drive a truck through.
>
> >From: paquette stephane <stephane_paquette_at_yahoo.com>
> >Reply-To: ORACLE-L_at_fatcity.com
> >To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> >Subject: Re: Re[2]: security problem with 8i
> >Date: Wed, 18 Jul 2001 07:25:48 -0800
> >
> >Are you joking ?
> >
> > --- dgoulet_at_vicr.com a écrit : > Although there
> >has been so much publicity of
> > > security "holes" in Oracle, in
> > > particular the listener, the one hole that really
> > > causes me concern is the
> > > default passwords for sys and system and/or using
> > > the username as a password.
> > > Over the past 2 years I've been to a few sites, like
> > > 4, at a friends request
> > > and/or on an interview where the manager said "show
> > > me" and each time I've been
> > > able to log onto the DB with any of the following:
> > >
> > > sys/change_on_install
> > > sys/sys
> > > system/system
> > > system/manager
> > >
> > > Now come on, this was an old V6 thing that we were
> > > suppose to do, and we're
> > > still not!!
> > >
> > > Dick Goulet
> > >
> > > ____________________Reply
> > > Separator____________________
> > > Author: Ray Stell <stellr_at_stell.cns.vt.edu>
> > > Date: 7/18/2001 5:15 AM
> > >
> > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon
> > > Walthour wrote:
> > > > Listers:
> > > >
> > > > My client has asked me to look into this issue and
> > > determine if they should
> > > > be concerned about it or not. Since they don't
> > > have any db's directly
> > > > accessible from the Internet and since their LAN
> > > is very secure anyway, I'm
> > > > inclined to not apply any patches based on the
> > > premise that if it isn't a
> > > > necessary patch, don't apply it in fear of
> > > breaking something else. What do
> > > > you think?
> > > > --
> > >
> > > two words, disgruntled employee
> > >
> >===============================================================
> > > Ray Stell stellr_at_vt.edu (540) 231-4109
> > > KE4TJC 28^D
> > > --
> > > Please see the official ORACLE-L FAQ:
> > > http://www.orafaq.com
> > > --
> > > Author: Ray Stell
> > > INET: stellr_at_stell.cns.vt.edu
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> > > (858) 538-5051
> > > San Diego, California -- Public Internet
> > > access / Mailing Lists
> > >
> >--------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an
> > > E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > > 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB
> > > ORACLE-L
> > > (or the name of mailing list you want to be removed
> > > from). You may
> > > also send the HELP command for other information
> > > (like subscribing).
> > > --
> > > Please see the official ORACLE-L FAQ:
> > > http://www.orafaq.com
> > > --
> > > Author:
> > > INET: dgoulet_at_vicr.com
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> > > (858) 538-5051
> > > San Diego, California -- Public Internet
> > > access / Mailing Lists
> > >
> >--------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an
> > > E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > > 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB
> > > ORACLE-L
> > > (or the name of mailing list you want to be removed
> > > from). You may
> > > also send the HELP command for other information
> > > (like subscribing).
> >
> >=====
> >Stéphane Paquette
> >DBA Oracle, consultant entrepôt de données
> >Oracle DBA, datawarehouse consultant
> >stephane_paquette_at_yahoo.com
> >
> >___________________________________________________________
> >Do You Yahoo!? -- Vos albums photos en ligne,
> >Yahoo! Photos : http://fr.photos.yahoo.com
> >--
> >Please see the official ORACLE-L FAQ: http://www.orafaq.com
> >--
> >Author: =?iso-8859-1?q?paquette=20stephane?=
> > INET: stephane_paquette_at_yahoo.com
> >
> >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> >San Diego, California -- Public Internet access / Mailing Lists
> >--------------------------------------------------------------------
> >To REMOVE yourself from this mailing list, send an E-Mail message
> >to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> >the message BODY, include a line containing: UNSUB ORACLE-L
> >(or the name of mailing list you want to be removed from). You may
> >also send the HELP command for other information (like subscribing).
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Rachel Carmichael
> INET: carmichr_at_hotmail.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

--
--------------------------------------
| Brian McGraw     --     Oracle DBA |
| Central Alabama Oracle Users Group |
|------------------------------------|
| mailto:BMcGraw_at_mindspring.com      |
| http://bmcgraw.home.mindspring.com |
--------------------------------------


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Brian McGraw
  INET: brian.mcgraw_at_infinity-insurance.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
  INET: dgoulet_at_vicr.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Jul 18 2001 - 11:16:31 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US