Re: passwords in clear text and password protected roles bypass

  • From: Mladen Gogala <mladen@xxxxxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 15 Mar 2004 14:05:58 -0500

Put DBMS_RANDOM in the script. Be warned, that may produce random
results.

On 03/15/2004 01:50:42 PM, Ravi Kulkarni wrote:
> Great hint, Thank you. 
> Is there a way to avoid(/defer) clear-text-passwords when Creating users ?
> 
> 
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Pete Finnigan
> Sent: Sunday, March 14, 2004 1:14 PM
> To: oracle-l@xxxxxxxxxxxxx
> Subject: passwords in clear text and password protected roles bypass
> 
> 
> Hi Everyone,
> 
> Further to Nuno's question last week I have just put two short papers on
> my website, the first discussing clear text password transmissions when
> changing a users password in the database which i showed in my post last
> and the second discussing the same issue with set role {blah} identified
> by {blah}. 
> 
> The second paper also discusses an issue I found whereby you can bypass
> the password protection assigned to a role. Both papers describe the
> issues and also suggest possible solutions. The papers are available
> from:
> 
> http://www.petefinnigan.com/ramblings/passwords_in_clear_text.htm
> and
> http://www.petefinnigan.com/ramblings/issues_with_roles_and_passwords.ht
> m
> 
> Hope you find them useful.
> 
> kind regards
> 
> Pete
> -- 
> Pete Finnigan
> email:pete@xxxxxxxxxxxxxxxx
> Web site: http://www.petefinnigan.com - Oracle security audit specialists
> Book:Oracle security step-by-step Guide - see http://store.sans.org for 
> details.
> 
> ----------------------------------------------------------------
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> ----------------------------------------------------------------
> To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
> put 'unsubscribe' in the subject line.
> --
> Archives are at //www.freelists.org/archives/oracle-l/
> FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
> -----------------------------------------------------------------
> 
> ----------------------------------------------------------------
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> ----------------------------------------------------------------
> To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
> put 'unsubscribe' in the subject line.
> --
> Archives are at //www.freelists.org/archives/oracle-l/
> FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
> -----------------------------------------------------------------
> 
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 03-2004