Home page logo

bugtraq logo Bugtraq mailing list archives

Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
From: rpotts () MED OSD MIL (Ross Potts)
Date: Wed, 23 Jul 1997 07:22:00 -0400

Let me start by saying I love Oracle.  I think it's great (when not documenting
bugs - if you've tried to find a definition of their error codes, you'll

The server dumps quietly because the DBA probably hasn't set up the database
correctly.  Unless it is coded in to the system you're developing, I don't think
Oracle will log activities:  i.e. as long as you stay in SQL*NET(an Oracle
shell), no one will know you're around.

I worked with Oracle 7 on an HP 9000 before it became web enabled.  I noticed
that everytime something went wrong with the database, it would not show up in
syslog (one of the logs you were thinking of?).  Now, the trick is to  find an
account with the role and permission necessary to be able to run a sql script to
get passwords from the database(or at this point, if you know enough about SQL,
you can pull most text files from the Operating System).  I say this because as
an administrator, I found that all our users chose to have a database password
the same as a machine password.  Guess what?  Oracle has it's passwords in plain

As a side note, we discovered that Oracle accounts don't have to have machine
accounts.  Those were used for another aspect of the product we fielded.

Ross Potts                  Internet : Ross.Potts () med osd mil
EDS-D/SIDDOMS               Phone    : (703) 824-7601
Skyline Two, Suite 1200     Beeper   : (703) 316-7976
5203 Leesburg Pike,
Falls Church, VA 22041

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]