Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password
Pete Finnigan wrote:
> Just out of interest did you check program and module in v$session or > just program? - I don't expect the end result to change but I would be > interested to know. For SQL*Plus on windows i get > > SQL> select module,program from v$session > 2 where username=user; > > MODULE > ---------------------------------------------- > PROGRAM > ---------------------------------------------- > SQL*Plus > sqlplusw.exe > > > SQL>
Just out of curiosity - or maybe cynicism - what happens if a client program identifies itself the same way as SQL*Plus? Or, more likely, someone writes a tool somewhat similar to SQL*Plus that can execute more or less arbitrary SQL commands, but carefully identify the program as 'not SQL*Plus' and hence trustworthy (or more trustworthy). Can someone deduce which applications are trusted, work out how the trusted applications identify themselves, and create their own executable which identifies itself the same way but is actually totally untrustworthy? How much effort is involved (not that effort required counts for much compared with simple feasibility in matters of security)?
Obviously, in practice SQL*Plus is the loose cannonball and is the program that gets constrained first (so my original question is of limited interest), but what about the trusted programs. How hard is to work out how trusted programs identify themselves and mimic a trusted program?
(If it's any consolation, the Informix equivalent of SQL*Plus is DB-Access and it is just as much a loose cannonball as SQL*Plus.)
> Howard J. Rogers <hjr_at_dizwell.com> writes
-- Jonathan Leffler #include <disclaimer.h> Email: jleffler_at_earthlink.net, jleffler_at_us.ibm.com Guardian of DBD::Informix v2003.04 -- http://dbi.perl.org/Received on Mon Nov 01 2004 - 22:31:46 CST