Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator
From: Pavel Machek <pavel () ucw cz>
Date: Wed, 23 May 2001 17:43:22 +0000

Hi!

Post date: 05/22/01

Vulnerability in Oracle E-Business Suite Release 11i Applications
Desktop Integrator

Overview
A potential security vulnerability has been discovered in Applications
Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release
11i. A debug version of the FNDPUB11I.DLL was inadvertently released
with a patch to Applications Desktop Integrator (ADI) version 7.X. This
DLL writes a debug file to the client machine that includes the clear
text APPS schema password. A malicious user could use this DLL to obtain
the APPS schema password and thereby gain elevated privileges.

...

Solution
The debug version of FNDPUB11I.DLL has been replaced with a production
version. In addition, a patch is available that introduces an enhanced
security feature, Application Server Security, to prevent the debug DLL
from connecting to the database. The complete solution to this

Is it just me or does this sound like "security by obscurity"? What if I 
sit down and write evil PAVEL11I.DLL that *looks* like production one 
but dumps passwords as debug one?

Looks to me like either *) server patch is unnecessary or *) you have
security hole, anyway.
                                                                Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]