Oracle's ADI 7.1.1.10.1 Major security hole

From: Melanie Abbas (abbasat_private)
Date: Mon May 07 2001 - 06:12:23 PDT

Next message: Ofir Arkin: "Fun with IP Identification Field Values (Identifying Older MS Based OSs)"

Previous message: Stefan Laudat: "Re: Cisco Catalyst 2900XL crashes with empty UDP packet when SNMP is disabled."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The version of ADI (Application Desktop Integrator) 7.1.1.10.1 which was
recently shipped with Oracle's Financial Applications version 11.5.3
contains a major security breach.

Whenever the software is launched, it creates a file called dbg.txt on the
local hard drive on the system which contains in PLAIN TEXT the usernames
and passwords for both the application user and the APPS schema!

To explain further:
The software runs on Windows systems and uses the net8 client to talk to
the database, however, user's logon as their application ID and password,
not directly to the database.

In order for this to work, the application goes to the database with a
public username/password that must never be changed for the application to
function. The username/password is APPLYSYSPUB and the password is PUB
(this is openly documented). This database account is able to find the
APPS schema and encrypted password in the database. It then unencrypts the
password and uses it to connect to the database. It has always done this
in order to function, however, for some reason, this release creates what
appears to be a debug file on the local hard drive and stores this
information in PLAIN TEXT!

Since release 11 (I believe) all access to the database for the financial
applications is done by the APPS schema. Thus, the APPS schema has full
control of all the tables within the database!

I have opened a technical assistance request with Oracle and they are
working on a fix. It is apparantly some code that is in the fndpub11i.dll
that was delivered with the 7.1.1.10.1 version. They suggest we get an
earlier release and use the fndpub11i.dll from that version or wait for
the newer release which should be out soon.

So, if you use ADI, or have locations where users have a net8 client
connection to your financials database, do NOT install the 7.1.1.10.1
version! Also be aware that if your users have access to Metalink, the
offending version is still available for download!

--
Melanie Abbas
Oracle Application Administrator - ITS
University of Northern Iowa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Be content with such things as you have. For God himself has said, I shall
never leave you nor forsake you.	-Hebrews 13:5

Office: GIL 255		Regular hours: 8:00-5:00
Phone: 273-6452		Fax: 273-5836		Beeper: 833-4489
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Next message: Ofir Arkin: "Fun with IP Identification Field Values (Identifying Older MS Based OSs)"
Previous message: Stefan Laudat: "Re: Cisco Catalyst 2900XL crashes with empty UDP packet when SNMP is disabled."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 07 2001 - 10:38:25 PDT