Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9146
HistoryJul 13, 2005 - 12:00 a.m.

Name Oracle JDeveloper passes Plaintext Password

2005-07-1300:00:00
vulners.com
8

Name Oracle JDeveloper passes Plaintext Password
Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
Severity Low Risk
Category Information disclosure of Passwords
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 12 July 2005 (V 1.00)
Advisory AKSEC2003-006
Oracle Vuln# AS09
Time to fix 148 days

Details

Starting an external program and passing the password as a parameter is unsecure. This is the easiest way to decrypt an encrypted password. Replace the sqlplus.exe with a fake version which stores the passwords in a local file.

JDeveloper starts sqlplus with the following parameter:
system/alexora1@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))

Workaround
Do not start sqlplus from JDeveloper.

Patch Information
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC).

History
14-feb-2005 Oracle secalert was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory