Re: Why are people so afraid of underscore parameters ?

kazimiej_at_bms.com (Joe Kazimierczyk) wrote in message news:<e2242da1.0208290958.2dd481ec_at_posting.google.com>...
> Even worse: with alter session and readable trace files,
> in Oracle 7, 8i, and up, it's possible to find user's passwords
> in plain text. This clever trick can be found in the white paper
> "exploiting and protecting oracle" at www.pentest-limited.com
>
> All the more reason to be cautious when using undocumented features.

Hi, Joe,

I think you're referring to
http://www.pentest-limited.com/utl_file.htm. Now I know what event Tom Kyte was talking about. I tested it. Even library cache dump at level 3, "alter user..identified by.." is shown, although v$sql only shows the first 20 characters such as "alter user yong iden". So if a user can alter session and see trace, the only workaround is for the DBA to flush shared pool right after changing a user's password. I wish some events had to be set with a command other than alter session. Allowing alter session to dump library cache is like allowing setenv or stty commands to run crash(1M) in Solaris (crash is used to "examine system image").

Yong Huang Received on Fri Aug 30 2002 - 16:35:34 CDT