Re: Oracle 11g/10g Installation Vulnerability

Is the listener running by default during this window?

Don.

On Nov 13, 2007 1:52 PM, David Litchfield <david@xxxxxxxxxxxxxxxxxxxx> wrote:
> Hey all,
> After investigating 11g the other day I came across an interesting issue.
> During the installation of Oracle 11g and 10g all accounts, including the
> SYS and SYSTEM accounts, have their default passwords and only at the end of
> the install are the passwords changed. This means that there is a window of
> opportunity for an attacker to log into the database server during the
> install process. Depending upon "which" install options you choose
> determines the size of the window. Full details for those that are
> interested can be found here:
> http://www.davidlitchfield.com/blog/archives/00000030.htm - since I reported
> this to Oracle on the 3rd of November they've updated their security
> checklist document:
> http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_
> db_database_20071108.pdf



-- 
Don Seiler
http://seilerwerks.wordpress.com
ultimate: http://www.mufc.us
--
http://www.freelists.org/webpage/oracle-l


Other related posts: