Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: List of security issues/fixes for Oracle 9i R1 & R2
Hi Yong
I do include quite a few criticisms, but not the particular one you mention. It is common unfortunately in the Oracle world to pass passwords on the command line for scripts.
Thanks for the detail
Kind regards
Pete
In article <b3cb12d6.0301291134.17752d88_at_posting.google.com>, Yong Huang
<yong321_at_yahoo.com> writes
>Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message news:<l0Mhy0Ah7v
>N+Ew$l_at_peterfinnigan.demon.co.uk>...
>> Hi Joe
>>
>> All of the security alerts that Oracle have acknowledged and released
>> patches or workarounds for have advisories posted to http://otn.oracle.c
>> om/deploy/security/alerts.htm. There is a subscriber list also at the
>> same site. You need a free user account creating.
>>
>> I have just written a book for the SANS Institute with the help of some
>> of the guys who contribute to this list. It is called "Oracle security
>> step-by-step (A survival guide to Oracle security)". Its a list of known
>> configuration issues and default installation issues and for each issue
>> there are checks to perform and actions to take. see
>> http://store.sans.org for details.
>
>Hi, Pete,
>
>I didn't read your articles or books yet. I hope you included
>criticism on some Oracle-supplied shell scripts that require password
>to be passed as a command line argument. For one of many examples, the
>Oracle Portal ssodatan script needs -p portal_password and -d
>sso_password. I imagine if the scripts came from Sun or HP, the
>authors might have done some terminal trick to not display the
>password.
>
>Yong Huang
-- Pete Finnigan Email : pete_at_peterfinnigan.demon.co.uk Email : pete_at_petefinnigan.com Web site: http://www.petefinnigan.com Independent consultant specialising in Oracle security. Pete Finnigan is the author of the recently published book about Oracle security from the SANS Institute "Oracle security Step-by-step (A survival guide for Oracle security)" - see http://store.sans.org for details and pre-order special prices. Some recently published articles include: http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part one" http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part two"Received on Wed Jan 29 2003 - 16:36:18 CST