Hi! > Post date: 05/22/01 > > Vulnerability in Oracle E-Business Suite Release 11i Applications > Desktop Integrator > > Overview > A potential security vulnerability has been discovered in Applications > Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release > 11i. A debug version of the FNDPUB11I.DLL was inadvertently released > with a patch to Applications Desktop Integrator (ADI) version 7.X. This > DLL writes a debug file to the client machine that includes the clear > text APPS schema password. A malicious user could use this DLL to obtain > the APPS schema password and thereby gain elevated privileges. ... > Solution > The debug version of FNDPUB11I.DLL has been replaced with a production > version. In addition, a patch is available that introduces an enhanced > security feature, Application Server Security, to prevent the debug DLL > from connecting to the database. The complete solution to this Is it just me or does this sound like "security by obscurity"? What if I sit down and write evil PAVEL11I.DLL that *looks* like production one but dumps passwords as debug one? Looks to me like either *) server patch is unnecessary or *) you have security hole, anyway. Pavel -- Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt, details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 09:31:57 PDT