Re: capture oracle pwd change in 3rd party application. help needed

From: Pete Finnigan <plsql_at_petefinnigan.com>
Date: Fri, 7 Nov 2003 18:34:24 +0000
Message-ID: <wgw8AcAwW+q$QxYC_at_peterfinnigan.demon.co.uk>

>>         My objection is that it would take me a matter of minutes to

> make myself an account on another
> machine on which I had no permissions. It is a hacker's delight.

Hi Daniel,

I think there is another point to make here is that we are not implementing this but just discussing possible solutions without knowing the application or architecture, tools, requirements etc.... I would say that a script to synchronise password hash values should be run in a secure manner and also would not add new accounts, just synchronise old ones. I would also re-iterate this isn't the way to fix an issue like this, why does this application need to have synchronised access to two databases? and why isn't the manufacturer involved.

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

Received on Fri Nov 07 2003 - 19:34:24 CET

This message: [ Message body ]
Next message: Daniel Morgan: "Re: capture oracle pwd change in 3rd party application. help needed"
Maybe in reply to: Lasher: "capture oracle pwd change in 3rd party application. help needed"
In reply to Daniel Morgan: "Re: capture oracle pwd change in 3rd party application. help needed"
Next in thread: Daniel Morgan: "Re: capture oracle pwd change in 3rd party application. help needed"
Reply: Daniel Morgan: "Re: capture oracle pwd change in 3rd party application. help needed"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message