Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Potential Security Flaw in OAS 4.07 with LiveHTML

Potential Security Flaw in OAS 4.07 with LiveHTML

From: SoftImage User <softimg_at_iscs-i.com>
Date: Mon, 24 Jan 2000 05:58:49 -0800
Message-ID: <388C5A99.C3567F62@iscs-i.com> 





The examples using Web Application Objects that depict connecting to the
database using the DBI


perl modules contain the userid/password to login. The perl code that is
embedded within the html


file as a .hsp file type is interpreted within the OAS server and thus
the perl code is not visible but


compiled and the resultant html tags, if any, are displayed. This,
unfortunately, does not hold for the


netscape browser which caches the .hsp file which is available for any
client to use across any


supported platform. Thus giving someone a big inside towards their
cracking efforts. Of course,


one could read the password from somewhere else, preferrably encrypted,
merely adding to the


complexity.



Henry



hkatz_at_iscs-i.com


Received on Mon Jan 24 2000 - 07:58:49 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US