Bugtraq mailing list archives
Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator
From: Pavel Machek <pavel () ucw cz>
Date: Wed, 23 May 2001 17:43:22 +0000
Hi!
Post date: 05/22/01 Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Overview A potential security vulnerability has been discovered in Applications Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release 11i. A debug version of the FNDPUB11I.DLL was inadvertently released with a patch to Applications Desktop Integrator (ADI) version 7.X. This DLL writes a debug file to the client machine that includes the clear text APPS schema password. A malicious user could use this DLL to obtain the APPS schema password and thereby gain elevated privileges.
...
Solution The debug version of FNDPUB11I.DLL has been replaced with a production version. In addition, a patch is available that introduces an enhanced security feature, Application Server Security, to prevent the debug DLL from connecting to the database. The complete solution to this
Is it just me or does this sound like "security by obscurity"? What if I sit down and write evil PAVEL11I.DLL that *looks* like production one but dumps passwords as debug one? Looks to me like either *) server patch is unnecessary or *) you have security hole, anyway. Pavel -- Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt, details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.
Current thread:
- Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Oracle Security Alerts (May 22)
- Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Pavel Machek (May 25)