Re: WebDB on NT -- ridiculous security hole?

From: jason <jason_at_seahorseNOSPAM.demon.co.uk>
Date: Fri, 17 Dec 1999 10:19:43 +0000
Message-ID: <Mg5aOP2tuhDX1ysbFcP82EaoWK=z_at_4ax.com>

Yes. I changed the default password.

Jason.

On 16 Dec 1999 14:55:48 -0600, "Jim Mooney" <mooneyj_at_mantech-wva.com> wrote:

>
>Hello to all -- I am trying this question again after a month
>or more with no response and also no progress.
>
>Has *anyone* managed to get WebDB (2.1) working on NT 4.0 using
>IIS 4.0, or any other listener for that matter, in a way which
>is not *ridiculously* insecure? By this I mean that any web
>user can see and modify the gateway admin page and gain total
>access as the WEBDB user.
>
>Oracle acknowledges that the WebDB listener supports minimal
>security only. Oracle support has told us that the only way
>to block general access to the gateway page by anyone who knows
>the URL is to use a better listener such as IIS. Even using IIS,
>we have yet to find an acceptable way to do this. The solution
>proposed by Oracle seems to involve moving wdbcgi.exe to the
>"bin" directory, which would have the minor side effect of
>making every executable in that directory accessible to the
>whole Internet world ...
>
>A further problem seems to be that using IIS as the listener
>causes WebDB to present its own login page (rather than the
>usual box -- I have no idea why), and *no matter what* input
>is typed, the page simply reappears. We have heard this is a
>known bug in wdbcgi.exe. If so, what is the fix? The problem
>*can* be avoided by storing the userid and password in the DAD
>via the gateway page. In this case everything works -- but do
>you wonder why we do not want to do this :-( ?
>
>These questions have been open issues posed to Oracle support
>weeks ago (we have full support). So far they have been of
>very little help.
>
>Does anyone have any information on the actual content of
>wdbcgi.exe, that would allow us to understand this better if
>not modify it?
>
>Are we missing something obvious, or is it really completely
>impossible for anyone to have a minimally secure implementation
>of WebDB on NT? Any help will be appreciated.
>
>Jim Mooney
>mooneyj_at_mantech-wva.com
>
>
>
>
> -----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
> http://www.newsfeeds.com The Largest Usenet Servers in the World!
>------== Over 73,000 Newsgroups - Including Dedicated Binaries Servers ==-----
Received on Fri Dec 17 1999 - 11:19:43 CET

This message: [ Message body ]
Next message: narayan: "oracle installation"
Previous message: Pascal Glauser: "Migrating Reports from Client/Server to Reports-Server"
In reply to: Jim Mooney: "WebDB on NT -- ridiculous security hole?"
In reply to Jim Mooney: "WebDB on NT -- ridiculous security hole?"
Next in thread: Oracle Enterprise Internet Tools Product Management: "Re: IIS & FORMS SERVER"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message