Re: ? security leak in Oracle7.1 on WindowsNT ?

From: Kees Verruijt <kees_at_redwood.nl>
Date: 1995/09/03
Message-ID: <DEC2qq.4H3_at_inter.NL.net>#1/1

>
> I'm using Oracle7 Server Release 7.1.3.3.6 - Production Release
> on WindowsNT 3.5.1.
>
> After adding the value DBA_AUTHORIZATION:REG_SZ:BYPASS
> to the NT-registry-key /HKEY_LOCAL_MACHINE/SOFTWARE/ORACLE
> sqldba allows me to 'connect internal' without password checking.
> ( Without the entry a password is required to connect internal )
>
> The problem is, that AFAIK ANY(!?) user with permission to
> 'log on locally' can edit this part of the registry and so
> can 'grant' himself unlimited access to the database.
>
> Do you consider this to be a security leak or do you know how to
> prevent a 'normal' user from manipulating this part of the
> registry? Is this behaviour a feature or a bug that will be fixed
> in coming releases?
>
> ( Interestingly, as I tried the same entry on
> Oracle7 Workgroup Server Release 7.1.3.3.3 - Production Release
> on WinNT3.5 it seemed to have no effect, the sqldba of this release
> ignores the entry and still requires a password to connect internal. )

I suppose you mistyped something: we're using 7.1.3.3.3 and it works fine with the BYPASS value (ie without requiring the password).

>
> Thanks
>
> --
> _/_/_/ _/_/_/ _/ _/ // Reinhard Kuhn / It can be
> _/ _/ _/ _/ _/ // (kuhn_at_cas-ps.com) / done quickly,
> _/_/_/ _/_/_/ _/_/ // CAS GmbH / cheaply or well
> _/ _/ _/ _/ _/ // Lemberger Strasse 14 / - pick any two!
> _/ _/ _/_/_/ _/ _/ // 66955 Pirmasens, Germany /
>
>
Received on Sun Sep 03 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: Steve Tahmosh: "Re: Oracle Database Monitoring Programs wanted"
Previous message: James Huang: "Re: Oracle 7.1 on Win NT Server"
Maybe reply: Akira Hashimoto: "Re: ? security leak in Oracle7.1 on WindowsNT ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message