Bugtraq mailing list archives
Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator
From: Oracle Security Alerts <secalert_us () oracle com>
Date: Thu, 31 May 2001 16:28:47 -0700
In response to Pavel Machek's posting (dated 05/22/01), the server patch is necessary and with the server security feature turned fully on, you would also need to supply a pass-key associated with the machine from which you were attempting to make the connection. This is intended to prevent access by compromised code or malicious DLLs. Supported Oracle customers should go to Metalink for more details and patch availability. Regards, Oracle Security Alerts Pavel Machek wrote:
Hi! Is it just me or does this sound like "security by obscurity"? What if I sit down and write evil PAVEL11I.DLL that *looks* like production one but dumps passwords as debug one? Looks to me like either *) server patch is unnecessary or *) you have security hole, anyway. Pavel
Current thread:
- Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Oracle Security Alerts (Jun 01)