| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Oracle client security
Hey all,
I've been helping a developer work with a vendor in decyphering why their stinking Oracle client on Windohs doesn't work. One tool I found at Quest can monitor SQL calls from a Windows program that uses the Oracle Client. Very cool. But it got me to thinking...
More than a year ago, we had problems with a Perl::DBI program connecting to the Oracle DB using the WE8ISO8859P1 charset. It always failed the first time and secretly and automagically attempted and succeeded the connection a second time. I was able to verify this by using AUDIT in the DB, while running the program.
As I recall, an Oracle client trace showed the password sent as plaintext after the first failure. The fix was to upgrade Perl from 5.0 to 5.6 (or 5.8, I forget) which also necessitated a DBI upgrade (I forget what versions). At the time, the client was 8.0.5 and the server was 8.1.7.
Has anyone heard of this before? It seems to me that it wouldn't be too difficult to force the issue, causing the password to be sent plaintext. I don't know how big of a security deal this could be, but it piqued my curiosity.
TIA, Rich
Rich Jesse System/Database Administrator rich.jesse_at_quadtechworld.com QuadTech, Sussex, WI USAPlease see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
 |
 |