Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Advisory: Oracle JDeveloper Plaintext Passwords

Advisory: Oracle JDeveloper Plaintext Passwords

From: <ak_at_red-database-security.com>
Date: 13 Jul 2005 19:36:27 -0000
('binary' encoding is not supported, stored as-is) Red-Database-Security GmbH - Oracle Security Advisory

Oracle JDeveloper Plaintext Passwords

 Name Oracle JDeveloper Plaintext Passwords
 Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
 Severity Low Risk
 Category Information Disclosure of Passwords
 Vendor URL http://www.oracle.com
 Author Alexander Kornbrust (ak at red-database-security.com)
 Date 13 July 2005 (V 1.00)
 Advisory AKSEC2003-006
 Oracle Vuln# AS10
 Time to fix 148 days

      

Details
#######
The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml and
settings.xml contain unencrypted database passwords.

Examples
########
1. Plaintext-Password in IDEConnections.xml

<connection>
<JDBC_PORT>1521</JDBC_PORT>
<ConnectionType>JDBC</ConnectionType>
<HOSTNAME>picard</HOSTNAME>
<DeployPassword>true</DeployPassword>
<user>system</user>
<ConnectionName>ConnectionAlex2</ConnectionName>
<SID>ora10103</SID>
<JdbcDriver>oracle.jdbc.driver.OracleDriver</JdbcDriver>
<password>mysupersecretpassword1</password>
<ORACLE_JDBC_TYPE>thin</ORACLE_JDBC_TYPE>
</connection>

2. Plaintext-Password in XSQLConfig.xml

<connection name="ConnectionAlex1">
<username>system</username>
<password>mysupersecretpassword1</password>
<dburl>jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)
(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))</dburl>
<driver>oracle.jdbc.driver.OracleDriver</driver>
</connection>

3. Plaintext-Password of OTN Account in settings.xml

<Item>
<Key>oracle.ideimpl.update.wizard.AuthInfo</Key>
<Value class="oracle.ideimpl.update.wizard.AuthInfo">
<password>mysupersecretpassword1</password>
<passwordRemembered>true</passwordRemembered>
<userName>email_at_email.com</userName>
</Value>
</Item>

 

Patch Information
#################
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink
Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC).

History
#######
14-feb-2005 Oracle secalert_us was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory

© 2005 by Red-Database-Security GmbH
Received on Jul 13 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]