mailing list archives
Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator
From: Pavel Machek <pavel () ucw cz>
Date: Wed, 23 May 2001 17:43:22 +0000
Post date: 05/22/01
Vulnerability in Oracle E-Business Suite Release 11i Applications
A potential security vulnerability has been discovered in Applications
Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release
11i. A debug version of the FNDPUB11I.DLL was inadvertently released
with a patch to Applications Desktop Integrator (ADI) version 7.X. This
DLL writes a debug file to the client machine that includes the clear
text APPS schema password. A malicious user could use this DLL to obtain
the APPS schema password and thereby gain elevated privileges.
The debug version of FNDPUB11I.DLL has been replaced with a production
version. In addition, a patch is available that introduces an enhanced
security feature, Application Server Security, to prevent the debug DLL
from connecting to the database. The complete solution to this
Is it just me or does this sound like "security by obscurity"? What if I
sit down and write evil PAVEL11I.DLL that *looks* like production one
but dumps passwords as debug one?
Looks to me like either *) server patch is unnecessary or *) you have
security hole, anyway.
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.