Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

oracle.8.passwd.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Oracle Database security issue highlights insecure default password settings for installations.

Code
`Date: Thu, 4 Mar 1999 15:44:37 -0600  
From: James Kivisild <[email protected]>  
To: [email protected]  
Subject: Oracle Plaintext Password  
  
  
I now know this has been mentioned before, however I've gotten a large  
number of responses from people about Oracle problems similar to this. As a  
first time Oracle installer, I didn't realize the scope of the problem. I  
hope that upon reading this, more people will realize that the Default  
settings under Oracle just aren't secure.  
  
Original Post to NTBugtraq:  
  
I apologize if this has been mentioned before, however I haven't had any  
time to pursue this issue with any vigor.  
  
I recently installed Oracle 8.0.3 Enterprise Edition on an NT 4.0  
Workstation and I noticed a particular feature within Oracle Database  
Assistant v1.0 that might be of some interest/concern.  
  
During the creation of an Oracle database, the Database Assistant lets you  
create either a custom or typical(default) database. If you select "custom"  
database, you must enter a master password that controls the administrative  
features in the database. If you select "typical", this password defaults to  
'oracle'.  
  
As the database is created, the Server Manager reports all activities to a  
log file. This log file, "\orant\database\spoolmain.log", even logs the  
master password as it connects to the server to continue the setup. The  
entry is as follows:  
  
Echo ON  
SVRMGR> connect INTERNAL/MYPASSWORD  
Connected.  
  
Not only is this password in plaintext, but the file has permissions that  
enable anyone to view it. (owned by Admins, but full control for everyone)  
I believe the setup informs you that the file exists and should be checked  
for errors, but I didn't find any other reference to it in the  
documentation.  
  
The log does get overwritten each time you create a new database, however  
that just limits the number of plaintext passwords to one. Once again, I  
haven't had time to look into this, but it seems like a potential problem  
worth mentioning.  
  
  
-James Kivisild  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
oracle databaseplaintext passworddefault settingssecurity issuelog file permissions.
26