Bugtraq mailing list archives
Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
From: rpotts () MED OSD MIL (Ross Potts)
Date: Wed, 23 Jul 1997 07:22:00 -0400
Let me start by saying I love Oracle. I think it's great (when not documenting bugs - if you've tried to find a definition of their error codes, you'll understand) The server dumps quietly because the DBA probably hasn't set up the database correctly. Unless it is coded in to the system you're developing, I don't think Oracle will log activities: i.e. as long as you stay in SQL*NET(an Oracle shell), no one will know you're around. I worked with Oracle 7 on an HP 9000 before it became web enabled. I noticed that everytime something went wrong with the database, it would not show up in syslog (one of the logs you were thinking of?). Now, the trick is to find an account with the role and permission necessary to be able to run a sql script to get passwords from the database(or at this point, if you know enough about SQL, you can pull most text files from the Operating System). I say this because as an administrator, I found that all our users chose to have a database password the same as a machine password. Guess what? Oracle has it's passwords in plain text! As a side note, we discovered that Oracle accounts don't have to have machine accounts. Those were used for another aspect of the product we fielded. -- Ross Potts Internet : Ross.Potts () med osd mil EDS-D/SIDDOMS Phone : (703) 824-7601 Skyline Two, Suite 1200 Beeper : (703) 316-7976 5203 Leesburg Pike, Falls Church, VA 22041
Current thread:
- DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Simon Josefsson (Jul 22)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Stefan Rompf (Jul 23)
- CPSR 7: IRIX WWW Server Corinne Posse Releases (Jul 23)
- Re: CPSR 7: IRIX WWW Server J.A. Gutierrez (Jul 23)
- SGI Security Advisory 19970701-01-PX - talkd Vulnerability SGI Security Coordinator (Jul 23)
- <Possible follow-ups>
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Ross Potts (Jul 23)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Simon Josefsson (Jul 23)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Matthew G. Harrigan (Jul 23)