Re: capture oracle pwd change in 3rd party application. help needed

Hi,

This all sounds a bit like hacking to me, not the best way to solve a problem!, - maybe it would be better to ask the application manufacturer?.

BUT, there are a number of possibilities that you could try, you could implement a layer above OCI (it should be OCI unless its the thin driver) and basically get the third party application to call your version of OCI first, extract the string and then call the real OCI layer. This is a hard way to crack the problem though. If it is java you could do something illegal and decompile the java and modify it and recompile - your supplier would not support you though!!!!

You don't have to access the username and password either in the application, you could just run a process regularly that synchronises password hashes between the databases using the "identified by values" version of alter user. This would depend on how long you can wait for passwords to synchronise. You could also use single sign on?

You could also grab the text off the wire or via trace, my recent paper called "detecting SQL injection in Oracle" might help. You can get it at http://www.petefinnigan.com/orasec.htm. Finally you might be able to find a way to screen scrape the application at the terminal level - there are a few commercial products to do this, mainly used for automated testing.

hth
kind regards

Pete

PS: please don't cross post, most people read all of these groups!

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.