> > Does anybody know if having "Presentation=http://admin" in
> > tnsnames.ora is likely to cause problems for applications NOT using
> > OSE.
> It is likely to become a security hole. Remove if not used.
> Same for EXTPROC.
Agreed - to the extent. :) EXTPROC is particularly dangerous when used
with TCP as the communication prototol. When used with IPC it's only
dangerous if someone gains access to the machine as this potentially allows
the attacker to use extproc via IPC to execute things with oracle's
permissions. No remote exploit is possible though. Presentation http://
on the contrary is remotely expoitable (again, with certain complications:
OSE listens on non-standard port, which is usually blocked at the firewall,
so the attacker should be on LAN; OSE runs inside Oracle's built-in JVM
and as such is not particularly helpful in compromising the server or
gaining immediate access to the data in the database - but it may allow
attacker to plant a rogue servlet or a JSP into OSE, which could then be
used to access sensitive data or execute OS commands under oracle account,
though this last exploit will require the attacker to modify Java2 security
policies as well...) All in all, OSE doesn't look like a promising target to
me. :)
--
Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.
Received on Wed Jan 08 2003 - 01:58:26 CST
