lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1C09DF36EB7A3F489633C919E7413501150D22@mapibe09.exchange.xchg>
Date: Wed Jul 13 20:44:49 2005
From: ak at red-database-security.com (Kornbrust, Alexander)
Subject: Advisory: Oracle JDeveloper Plaintext Passwords

Red-Database-Security GmbH  - Oracle Security Advisory

Oracle JDeveloper Plaintext Passwords

 Name                Oracle JDeveloper Plaintext Passwords
 Systems Affected    Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
 Severity            Low Risk 
 Category            Information Disclosure of Passwords
 Vendor URL          http://www.oracle.com 
 Author              Alexander Kornbrust (ak at
red-database-security.com) 
 Date                13 July 2005 (V 1.00) 
 Advisory            AKSEC2003-006
 Oracle Vuln#        AS10
 Time to fix         148 days

      

Details
#######
The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml
and 
settings.xml contain unencrypted database passwords.



Examples
########
1. Plaintext-Password in IDEConnections.xml

<connection>
<JDBC_PORT>1521</JDBC_PORT>
<ConnectionType>JDBC</ConnectionType>
<HOSTNAME>picard</HOSTNAME>
<DeployPassword>true</DeployPassword>
<user>system</user>
<ConnectionName>ConnectionAlex2</ConnectionName>
<SID>ora10103</SID>
<JdbcDriver>oracle.jdbc.driver.OracleDriver</JdbcDriver>
<password>mysupersecretpassword1</password>
<ORACLE_JDBC_TYPE>thin</ORACLE_JDBC_TYPE>
</connection>

2. Plaintext-Password in XSQLConfig.xml

<connection name="ConnectionAlex1">
<username>system</username>
<password>mysupersecretpassword1</password>
<dburl>jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=T
CP)
(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))</dburl>
<driver>oracle.jdbc.driver.OracleDriver</driver>
</connection>

3. Plaintext-Password of OTN Account in settings.xml

<Item>
<Key>oracle.ideimpl.update.wizard.AuthInfo</Key>
<Value class="oracle.ideimpl.update.wizard.AuthInfo">
<password>mysupersecretpassword1</password>
<passwordRemembered>true</passwordRemembered>
<userName>email@...il.com</userName>
</Value>
</Item>

 

Patch Information
#################
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in
Metalink 
Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally
your client PC).



History
#######
14-feb-2005 Oracle secalert_us was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory


(c) 2005 by Red-Database-Security GmbH

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ