Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> passwords in clear text and password protected roles bypass

passwords in clear text and password protected roles bypass

From: Pete Finnigan <plsql_at_petefinnigan.com>
Date: Sun, 14 Mar 2004 21:22:37 +0000
Message-ID: <ZCkWIxAd0MVARx5i@peterfinnigan.demon.co.uk> 





Hi Everyone,



Last week there was a thread on the ORACLE-L list started by Nuno about
if it was possible for someone to get the SYS password in 10 minutes. In
one reply I showed that when you do ALTER USER the password is sent in
clear text to the server and can be seen with SQL*Net trace and hence
could be grabbed. 



I was checking if the same occurred with the "set role blah identified
by blah" syntax (it does) and i found a way to bypass password protected
roles. I have written up the examples along with some suggestions to
protect against this in two "very" short papers and put them on my site
if anyone is interested. They are at:



http://www.petefinnigan.com/ramblings/passwords_in_clear_text.htm
and


http://www.petefinnigan.com/ramblings/issues_with_roles_and_passwords.ht
m



(beware of URL wrap)



Hope you find them useful.



kind regards



Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.


Received on Sun Mar 14 2004 - 15:22:37 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US