Oracle's ADI 7.1.1.10.1 Major security hole

2001-05-08T00:00:00
ID SECURITYVULNS:DOC:1587
Type securityvulns
Reporter Securityvulns
Modified 2001-05-08T00:00:00

Description

The version of ADI (Application Desktop Integrator) 7.1.1.10.1 which was recently shipped with Oracle's Financial Applications version 11.5.3 contains a major security breach.

Whenever the software is launched, it creates a file called dbg.txt on the local hard drive on the system which contains in PLAIN TEXT the usernames and passwords for both the application user and the APPS schema!

To explain further: The software runs on Windows systems and uses the net8 client to talk to the database, however, user's logon as their application ID and password, not directly to the database.

In order for this to work, the application goes to the database with a public username/password that must never be changed for the application to function. The username/password is APPLYSYSPUB and the password is PUB (this is openly documented). This database account is able to find the APPS schema and encrypted password in the database. It then unencrypts the password and uses it to connect to the database. It has always done this in order to function, however, for some reason, this release creates what appears to be a debug file on the local hard drive and stores this information in PLAIN TEXT!

Since release 11 (I believe) all access to the database for the financial applications is done by the APPS schema. Thus, the APPS schema has full control of all the tables within the database!

I have opened a technical assistance request with Oracle and they are working on a fix. It is apparantly some code that is in the fndpub11i.dll that was delivered with the 7.1.1.10.1 version. They suggest we get an earlier release and use the fndpub11i.dll from that version or wait for the newer release which should be out soon.

So, if you use ADI, or have locations where users have a net8 client connection to your financials database, do NOT install the 7.1.1.10.1 version! Also be aware that if your users have access to Metalink, the offending version is still available for download!

-- Melanie Abbas Oracle Application Administrator - ITS University of Northern Iowa @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Be content with such things as you have. For God himself has said, I shall never leave you nor forsake you. -Hebrews 13:5

Office: GIL 255 Regular hours: 8:00-5:00 Phone: 273-6452 Fax: 273-5836 Beeper: 833-4489 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@