Xref: alice comp.databases.oracle.tools:37442 Path: alice!news-feed.fnsi.net!newsfeed.icl.net!dispose.news.demon.net!demon!news.demon.co.uk!demon!seahorse.demon.co.uk!not-for-mail From: jason Newsgroups: comp.databases.oracle.tools Subject: Re: WebDB on NT -- ridiculous security hole? Date: Fri, 17 Dec 1999 10:19:43 +0000 Organization: Jump on the "Don't jump on the bandwagon" bandwagon! Message-ID: References: <385951d4$1@127.0.0.1> X-Trace: news.demon.co.uk 945426068 nnrp-12:21505 NO-IDENT seahorse.demon.co.uk:158.152.72.116 X-Complaints-To: abuse@demon.net X-Newsreader: Forte Agent 1.6/32.525 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 58 Yes. I changed the default password. Jason. On 16 Dec 1999 14:55:48 -0600, "Jim Mooney" wrote: > >Hello to all -- I am trying this question again after a month >or more with no response and also no progress. > >Has *anyone* managed to get WebDB (2.1) working on NT 4.0 using >IIS 4.0, or any other listener for that matter, in a way which >is not *ridiculously* insecure? By this I mean that any web >user can see and modify the gateway admin page and gain total >access as the WEBDB user. > >Oracle acknowledges that the WebDB listener supports minimal >security only. Oracle support has told us that the only way >to block general access to the gateway page by anyone who knows >the URL is to use a better listener such as IIS. Even using IIS, >we have yet to find an acceptable way to do this. The solution >proposed by Oracle seems to involve moving wdbcgi.exe to the >"bin" directory, which would have the minor side effect of >making every executable in that directory accessible to the >whole Internet world ... > >A further problem seems to be that using IIS as the listener >causes WebDB to present its own login page (rather than the >usual box -- I have no idea why), and *no matter what* input >is typed, the page simply reappears. We have heard this is a >known bug in wdbcgi.exe. If so, what is the fix? The problem >*can* be avoided by storing the userid and password in the DAD >via the gateway page. In this case everything works -- but do >you wonder why we do not want to do this :-( ? > >These questions have been open issues posed to Oracle support >weeks ago (we have full support). So far they have been of >very little help. > >Does anyone have any information on the actual content of >wdbcgi.exe, that would allow us to understand this better if >not modify it? > >Are we missing something obvious, or is it really completely >impossible for anyone to have a minimally secure implementation >of WebDB on NT? Any help will be appreciated. > >Jim Mooney >mooneyj@mantech-wva.com > > > > > -----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==---------- > http://www.newsfeeds.com The Largest Usenet Servers in the World! >------== Over 73,000 Newsgroups - Including Dedicated Binaries Servers ==-----