Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Why are people so afraid of underscore parameters ?
kazimiej_at_bms.com (Joe Kazimierczyk) wrote in message news:<e2242da1.0208290958.2dd481ec_at_posting.google.com>...
> Even worse: with alter session and readable trace files,
> in Oracle 7, 8i, and up, it's possible to find user's passwords
> in plain text. This clever trick can be found in the white paper
> "exploiting and protecting oracle" at www.pentest-limited.com
>
> All the more reason to be cautious when using undocumented features.
Hi, Joe,
I think you're referring to
http://www.pentest-limited.com/utl_file.htm. Now I know what event Tom
Kyte was talking about. I tested it. Even library cache dump at level
3, "alter user..identified by.." is shown, although v$sql only shows
the first 20 characters such as "alter user yong iden". So if a user
can alter session and see trace, the only workaround is for the DBA to
flush shared pool right after changing a user's password. I wish some
events had to be set with a command other than alter session. Allowing
alter session to dump library cache is like allowing setenv or stty
commands to run crash(1M) in Solaris (crash is used to "examine system
image").
Yong Huang Received on Fri Aug 30 2002 - 16:35:34 CDT