Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator

[Pavel Machek <pavel () ucw cz>]

Hi!

> Post date: 05/22/01
>
> Vulnerability in Oracle E-Business Suite Release 11i Applications
> Desktop Integrator
>
> Overview
> A potential security vulnerability has been discovered in Applications
> Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release
> 11i. A debug version of the FNDPUB11I.DLL was inadvertently released
> with a patch to Applications Desktop Integrator (ADI) version 7.X. This
> DLL writes a debug file to the client machine that includes the clear
> text APPS schema password. A malicious user could use this DLL to obtain
> the APPS schema password and thereby gain elevated privileges.

...

> Solution
> The debug version of FNDPUB11I.DLL has been replaced with a production
> version. In addition, a patch is available that introduces an enhanced
> security feature, Application Server Security, to prevent the debug DLL
> from connecting to the database. The complete solution to this

Is it just me or does this sound like "security by obscurity"? What if I 
sit down and write evil PAVEL11I.DLL that *looks* like production one 
but dumps passwords as debug one?

Looks to me like either *) server patch is unnecessary or *) you have
security hole, anyway.
                                                                Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.