Home page logo

bugtraq logo Bugtraq mailing list archives

Oracle's ADI Major security hole
From: Melanie Abbas <abbas () UNI EDU>
Date: Mon, 7 May 2001 08:12:23 -0500

The version of ADI (Application Desktop Integrator) which was
recently shipped with Oracle's Financial Applications version 11.5.3
contains a major security breach.

Whenever the software is launched, it creates a file called dbg.txt on the
local hard drive on the system which contains in PLAIN TEXT the usernames
and passwords for both the application user and the APPS schema!

To explain further:
The software runs on Windows systems and uses the net8 client to talk to
the database, however, user's logon as their application ID and password,
not directly to the database.

In order for this to work, the application goes to the database with a
public username/password that must never be changed for the application to
function. The username/password is APPLYSYSPUB and the password is PUB
(this is openly documented). This database account is able to find the
APPS schema and encrypted password in the database. It then unencrypts the
password and uses it to connect to the database. It has always done this
in order to function, however, for some reason, this release creates what
appears to be a debug file on the local hard drive and stores this
information in PLAIN TEXT!

Since release 11 (I believe) all access to the database for the financial
applications is done by the APPS schema. Thus, the APPS schema has full
control of all the tables within the database!

I have opened a technical assistance request with Oracle and they are
working on a fix. It is apparantly some code that is in the fndpub11i.dll
that was delivered with the version. They suggest we get an
earlier release and use the fndpub11i.dll from that version or wait for
the newer release which should be out soon.

So, if you use ADI, or have locations where users have a net8 client
connection to your financials database, do NOT install the
version! Also be aware that if your users have access to Metalink, the
offending version is still available for download!

Melanie Abbas
Oracle Application Administrator - ITS
University of Northern Iowa
Be content with such things as you have. For God himself has said, I shall
never leave you nor forsake you.        -Hebrews 13:5

Office: GIL 255         Regular hours: 8:00-5:00
Phone: 273-6452         Fax: 273-5836           Beeper: 833-4489

  By Date           By Thread  

Current thread:
  • Oracle's ADI Major security hole Melanie Abbas (May 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]