| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password
Hi Howard,
Just out of interest did you check program and module in v$session or just program? - I don't expect the end result to change but I would be interested to know. For SQL*Plus on windows i get
SQL> select module,program from v$session 2 where username=user;
MODULE
SQL> cheers
Pete
In article <4186164e$0$32443$afc38c87_at_news.optusnet.com.au>, Howard J.
Rogers <hjr_at_dizwell.com> writes
>OK, one quick test later.
>
>Knock up a silly application in MS Access that links to the EMP table. When
>you query it in V$SESSION, it is listed as program MSACCESS.EXE.
>
>Drop to the operating system and rename c:\program
>files\etc\etc\etc\MSACCESS.EXE HJR.EXE.
>
>Re-run the silly MS Access app: V$SESSION now sees it as program HJR.EXE.
>
>Pete's right in other words: if the application is instrumented to reveal
>its name, then merely renaming the executable doesn't do anything. But if it
>the application is "oracle blind", and doesn't know/care to reveal its
>identity via dbms_application_info, then a simple rename will fool the
>system.
>
>Regarding the original paper, that's not an issue, since both SQL*Plus and
>iSQL*Plus instrument properly. But ODBC applications certainly don't.
>
>Regards
>HJR
>
>
>"Pete Finnigan" <plsql_at_petefinnigan.com> wrote in message
>news:sh6rgeB2afhBRxpy_at_peterfinnigan.demon.co.uk...
>> >Excellent question. You realise it will require some testing and research
>>>won't you!? (In other words, I'll get back to you on that one!!).
>>>But it will appear as a new paragraph at the end of the existing paper,
>>>because it's such a good issue to address.
>>>
>>>It is because people ask good questions that we (together) learn good
>>>stuff.
>>>
>>>Regards
>>>HJR
>> Hi Howard,
>>
>> I answered this question over a year ago in relation to SQL*Plus in my
>> newsletter http://www.petefinnigan.com/news_letter_001.pdf - In there I
>> renamed the SQL*Plus binary on the client and on the server and the
>> values in v$session did not change. In other words Oracle networking
>> still knew it was SQL*Plus even though the binary is now called
>> "hacker". I guess this is because SQL*Plus identifies itself internally
>> to the network stack. I don't know if the same will work if you use a
>> third party application unless that application uses
>> dbms_application_info to set up values.
>>
>> hth
>>
>> Kind regards
>>
>> Pete
>> --
>> Pete Finnigan (email:pete_at_petefinnigan.com)
>> Web site: http://www.petefinnigan.com - Oracle security audit specialists
>> Oracle security blog:
>> http://www.petefinnigan.com/weblog/entries/index.html
>> Book:Oracle security step-by-step Guide - see http://store.sans.org for
>> details.
>
>
-- Pete Finnigan (email:pete_at_petefinnigan.com) Web site: http://www.petefinnigan.com - Oracle security audit specialists Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Mon Nov 01 2004 - 05:23:51 CST
 |
 |