Re: strt.cmd security hole??

Jared . Still Wed, 25 Jul 2001 13:57:03 -0700


Dave,

What's the platform?  NT?

Jared




                                                                                       
                                      
                    "Farnsworth, Dave"                                                 
                                      
                    <DFarnsworth@Ashleyfurn       To:     Multiple recipients of list 
ORACLE-L <[EMAIL PROTECTED]>        
                    iture.com>                    cc:                                  
                                      
                    Sent by:                      Subject:     strt<SID>.cmd security 
hole??                                 
                    [EMAIL PROTECTED]                                                   
                                      
                                                                                       
                                      
                                                                                       
                                      
                    07/25/01 01:47 PM                                                  
                                      
                    Please respond to                                                  
                                      
                    ORACLE-L                                                           
                                      
                                                                                       
                                      
                                                                                       
                                      




I inherited an Oracle 7.3.4 database that nobody knew the internal password
for.  So I was doing some research on metalink and came across an article
that mentioned the strt<SID>.cmd file would have the password.  I was
amazed
to open up this file and see the unencrypted password for internal.  I then
check my 8.0.5 database and the same thing.  Then I checked my 8.1.7
database and it was not there.  Did this gaping security hole disappear in
the 8i database?  I sure hope so.
Both the 7.3.4 and 8.0.5 have the remote_login_passwordfile init paramater
set to SHARED, whereas my 8.1.7 is set to EXCLUSIVE.  I don't know if this
has something to do with it.

Thanks,

Dave
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Farnsworth, Dave
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Re: strt.cmd security hole??

Reply via email to
