Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator

From: Oracle Security Alerts (secalert_usat_private)
Date: Thu May 31 2001 - 16:28:47 PDT

Next message: kj: "Re: TWIG SQL query bugs"

Previous message: Ben Laurie: "Re: TWIG SQL query bugs"
In reply to: Pavel Machek: "Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In response to Pavel Machek's posting (dated 05/22/01), the server patch is
necessary and with the server security feature turned fully on, you would also
need to supply a pass-key associated with the machine from which you were
attempting to make the connection. This is intended to prevent access by
compromised code or malicious DLLs. Supported Oracle customers should go to
Metalink for more details and patch availability.

Regards,
Oracle Security Alerts

Pavel Machek wrote:

> Hi!
>
> Is it just me or does this sound like "security by obscurity"? What if I
> sit down and write evil PAVEL11I.DLL that *looks* like production one
> but dumps passwords as debug one?
>
> Looks to me like either *) server patch is unnecessary or *) you have
> security hole, anyway.
>                                                                 Pavel

Next message: kj: "Re: TWIG SQL query bugs"
Previous message: Ben Laurie: "Re: TWIG SQL query bugs"
In reply to: Pavel Machek: "Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 10:05:59 PDT