Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle 11g/10g Installation Vulnerability

Re: Oracle 11g/10g Installation Vulnerability

From: Don Seiler <don_at_seiler.us>
Date: Tue, 13 Nov 2007 14:26:05 -0600
Message-ID: <716f7a630711131226h17b9f6b9xdd0d7ab12d61c32b@mail.gmail.com> 





Is the listener running by default during this window?



Don.



On Nov 13, 2007 1:52 PM, David Litchfield <david_at_databasesecurity.com> wrote:


> Hey all,

> After investigating 11g the other day I came across an interesting issue.

> During the installation of Oracle 11g and 10g all accounts, including the

> SYS and SYSTEM accounts, have their default passwords and only at the end of

> the install are the passwords changed. This means that there is a window of

> opportunity for an attacker to log into the database server during the

> install process. Depending upon "which" install options you choose

> determines the size of the window. Full details for those that are

> interested can be found here:

> http://www.davidlitchfield.com/blog/archives/00000030.htm - since I reported

> this to Oracle on the 3rd of November they've updated their security

> checklist document:

> http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_

> db_database_20071108.pdf





-- 
Don Seiler
http://seilerwerks.wordpress.com
ultimate: http://www.mufc.us
--
http://www.freelists.org/webpage/oracle-l


Received on Tue Nov 13 2007 - 14:26:05 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US