The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Hole in Oracle Server/Developer 2000 - authentication protocol.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 31 Aug 1998 14:18:33 -0500
From: Andrew Finkenstadt <[email protected]>
To: [email protected]
Subject: Re: Hole in Oracle Server/Developer 2000 - authentication protocol.

Exactly as defined in "Understanding SQL*Net" Oracle documentation part number
A42484-1.

The reason given, is when talking with older SQL*Net servers the password was
passed in the clear.  Newer SQL*Net servers understand encrypted passwords.
Properly configured SQL*Net networks done by a trained DBA will never leave
unencrypted password transmission enabled in the Oracle Network Manager
software.

The reason why the password is sent in clear text is to support "operating
system authenticated logins".  Usually the password is "/" in this case.

Solution: get your university to configure their Oracle installations to not
support plaintext passwords.

Andy Finkenstadt
oracle guru

http://support.us.oracle.com has more information about Oracle.

Yaron Yanay wrote:
> So the protocol is:
>
> 1) sending username
> 2) if username is invalid:
>         a) send password in clear text
>    if username is valid:
>         b) send encrypted password.
>            if password is incorrect:
>                 send the password again in _clear text_
>
> I hope this will be fixed soon by the company (if anyone knows how to
> notify them, please do).

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру