Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: List of security issues/fixes for Oracle 9i R1 & R2

Re: List of security issues/fixes for Oracle 9i R1 & R2

From: Pete Finnigan <pete_at_peterfinnigan.demon.co.uk>
Date: Wed, 29 Jan 2003 22:36:18 +0000
Message-ID: <YXx+GPBidFO+EwDh@peterfinnigan.demon.co.uk> 





Hi Yong



I do include quite a few criticisms, but not the particular one you
mention. It is common unfortunately in the Oracle world to pass
passwords on the command line for scripts. 



Thanks for the detail



Kind regards



Pete



In article <b3cb12d6.0301291134.17752d88_at_posting.google.com>, Yong Huang
<yong321_at_yahoo.com> writes


>Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message news:<l0Mhy0Ah7v

>N+Ew$l_at_peterfinnigan.demon.co.uk>...

>> Hi Joe

>> 

>> All of the security alerts that Oracle have acknowledged and released

>> patches or workarounds for have advisories posted to http://otn.oracle.c

>> om/deploy/security/alerts.htm. There is a subscriber list also at the

>> same site. You need a free user account creating. 

>> 

>> I have just written a book for the SANS Institute with the help of some

>> of the guys who contribute to this list. It is called "Oracle security

>> step-by-step (A survival guide to Oracle security)". Its a list of known

>> configuration issues and default installation issues and for each issue

>> there are checks to perform and actions to take. see

>> http://store.sans.org for details.

>

>Hi, Pete,

>

>I didn't read your articles or books yet. I hope you included

>criticism on some Oracle-supplied shell scripts that require password

>to be passed as a command line argument. For one of many examples, the

>Oracle Portal ssodatan script needs -p portal_password and -d

>sso_password. I imagine if the scripts came from Sun or HP, the

>authors might have done some terminal trick to not display the

>password.

>

>Yong Huang



-- 
Pete Finnigan

Email : pete_at_peterfinnigan.demon.co.uk
Email : pete_at_petefinnigan.com

Web site: http://www.petefinnigan.com

Independent consultant specialising in Oracle security. Pete Finnigan is the 
author of the recently published book about Oracle security from the SANS 
Institute "Oracle security Step-by-step (A survival guide for Oracle security)" 
- see http://store.sans.org for details and pre-order special prices.

Some recently published articles include:

http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part 
one"

http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part 
two"


Received on Wed Jan 29 2003 - 16:36:18 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US