I now know this has been mentioned before, however I've gotten a large number of responses from people about Oracle problems similar to this. As a first time Oracle installer, I didn't realize the scope of the problem. I hope that upon reading this, more people will realize that the Default settings under Oracle just aren't secure. Original Post to NTBugtraq: I apologize if this has been mentioned before, however I haven't had any time to pursue this issue with any vigor. I recently installed Oracle 8.0.3 Enterprise Edition on an NT 4.0 Workstation and I noticed a particular feature within Oracle Database Assistant v1.0 that might be of some interest/concern. During the creation of an Oracle database, the Database Assistant lets you create either a custom or typical(default) database. If you select "custom" database, you must enter a master password that controls the administrative features in the database. If you select "typical", this password defaults to 'oracle'. As the database is created, the Server Manager reports all activities to a log file. This log file, "\orant\database\spoolmain.log", even logs the master password as it connects to the server to continue the setup. The entry is as follows: Echo ON SVRMGR> connect INTERNAL/MYPASSWORD Connected. Not only is this password in plaintext, but the file has permissions that enable anyone to view it. (owned by Admins, but full control for everyone) I believe the setup informs you that the file exists and should be checked for errors, but I didn't find any other reference to it in the documentation. The log does get overwritten each time you create a new database, however that just limits the number of plaintext passwords to one. Once again, I haven't had time to look into this, but it seems like a potential problem worth mentioning. -James Kivisild
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:04 PDT