security problem with 8i
Hi All, i am not sure if this has already been posted or not, but.. --29 June 2001 Oracle8i Database Buffer Overflow Vulnerability Security experts found and disclosed a pair of vulnerabilities in the standard and enterprise editions of Oracle8i database. The Transport Network Substrate (TNS) Listener has a buffer overflow vulnerability; a flaw in the SQL Net protocol leaves the system vulnerable to denial-of- service attacks. Patches are available. http://www.computerworld.com/storyba/0,4125,NAV47_STO61802,00.html -bill -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bill Conner INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
Listers: My client has asked me to look into this issue and determine if they should be concerned about it or not. Since they don't have any db's directly accessible from the Internet and since their LAN is very secure anyway, I'm inclined to not apply any patches based on the premise that if it isn't a necessary patch, don't apply it in fear of breaking something else. What do you think? -- Jon Walthour, OCDBA Oracle DBA Computer Horizons Cincinnati, Ohio - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Monday, July 09, 2001 1:26 PM > Hi All, > > i am not sure if this has already been posted or not, but.. > > --29 June 2001 Oracle8i Database Buffer Overflow Vulnerability > Security experts found and disclosed a pair of vulnerabilities in the > standard and enterprise editions of Oracle8i database. The Transport > Network Substrate (TNS) Listener has a buffer overflow vulnerability; > a flaw in the SQL Net protocol leaves the system vulnerable to > denial-of- service attacks. Patches are available. > > http://www.computerworld.com/storyba/0,4125,NAV47_STO61802,00.html > > -bill > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Bill Conner > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California-- Public Internet access / Mailing Lists > > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jon Walthour INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon Walthour wrote: > Listers: > > My client has asked me to look into this issue and determine if they should > be concerned about it or not. Since they don't have any db's directly > accessible from the Internet and since their LAN is very secure anyway, I'm > inclined to not apply any patches based on the premise that if it isn't a > necessary patch, don't apply it in fear of breaking something else. What do > you think? > -- two words, disgruntled employee === Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ray Stell INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
Jon, I would tend to agree with you. As long as their data is not externally available, the risk of this type of attack is very low. Most employees are not foolhardy enough to initiate DOS attacks from their internal LAN's. However if they ever intend to move their system to the internet, VPN, etc. then they need to keep this info and patch as part of their migration plan. Rodd >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/18/01, 6:45:57 AM, Jon Walthour <[EMAIL PROTECTED]> wrote regarding Re: security problem with 8i: > Listers: > My client has asked me to look into this issue and determine if they should > be concerned about it or not. Since they don't have any db's directly > accessible from the Internet and since their LAN is very secure anyway, I'm > inclined to not apply any patches based on the premise that if it isn't a > necessary patch, don't apply it in fear of breaking something else. What do > you think? > -- > Jon Walthour, OCDBA > Oracle DBA > Computer Horizons > Cincinnati, Ohio > - Original Message - > To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> > Sent: Monday, July 09, 2001 1:26 PM > > Hi All, > > > > i am not sure if this has already been posted or not, but.. > > > > --29 June 2001 Oracle8i Database Buffer Overflow Vulnerability > > Security experts found and disclosed a pair of vulnerabilities in the > > standard and enterprise editions of Oracle8i database. The Transport > > Network Substrate (TNS) Listener has a buffer overflow vulnerability; > > a flaw in the SQL Net protocol leaves the system vulnerable to > > denial-of- service attacks. Patches are available. > > > > http://www.computerworld.com/storyba/0,4125,NAV47_STO61802,00.html > > > > -bill > > > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: Bill Conner > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 > > San Diego, California-- Public Internet access / Mailing Lists > > > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Jon Walthour > INET: [EMAIL PROTECTED] > Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California-- Public Internet access / Mailing Lists > > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rodd Holman INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
Ah, War stories... Reminds me (somewhat) of a company that I consulted, that had been suddently abandoned by its DBA in November, 1999 - anyone remember the Y2K panic?? They couldn't explan the CPU slowdown and lack of IO throughput. So I went on site, and their DBA with 5 years of experience had exactly 3 tablespaces in the system: TEMP, RBS, and SYSTEM. System was > 2GB and was composed of about 25 datafiles. Anyone care to guess where all of the db objects lived??? It was a production system, BTW. It's nice to feel like a miracle-worker sometimes. : ) Brian Rachel Carmichael wrote: > I would doubt he's joking. I've had simular experiences > > transferred to another department within the same company. Get a call from > my old boss "our dba is out sick, we HAVE to have this done today, this is a > highly secured system you have to help and make the changes from this pc" > > I go there, cannot log into the database with the username and password he > gives me. We call the dba (who was really sick), apologize and ask for the > username and password -- same as what I had. Still does not work. I stop, > think and say "let me try something" > > and log in as system/manager > > I do what they ask me to, then take my old boss aside and explain (gently) > that he has a security hole in his "highly secured" system that I could > drive a truck through. > > >From: paquette stephane <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> > >Subject: Re: Re[2]: security problem with 8i > >Date: Wed, 18 Jul 2001 07:25:48 -0800 > > > >Are you joking ? > > > > --- [EMAIL PROTECTED] a écrit : > Although there > >has been so much publicity of > > > security "holes" in Oracle, in > > > particular the listener, the one hole that really > > > causes me concern is the > > > default passwords for sys and system and/or using > > > the username as a password. > > > Over the past 2 years I've been to a few sites, like > > > 4, at a friends request > > > and/or on an interview where the manager said "show > > > me" and each time I've been > > > able to log onto the DB with any of the following: > > > > > > sys/change_on_install > > > sys/sys > > > system/system > > > system/manager > > > > > > Now come on, this was an old V6 thing that we were > > > suppose to do, and we're > > > still not!! > > > > > > Dick Goulet > > > > > > Reply > > > Separator > > > Author: Ray Stell <[EMAIL PROTECTED]> > > > Date: 7/18/2001 5:15 AM > > > > > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon > > > Walthour wrote: > > > > Listers: > > > > > > > > My client has asked me to look into this issue and > > > determine if they should > > > > be concerned about it or not. Since they don't > > > have any db's directly > > > > accessible from the Internet and since their LAN > > > is very secure anyway, I'm > > > > inclined to not apply any patches based on the > > > premise that if it isn't a > > > > necessary patch, don't apply it in fear of > > > breaking something else. What do > > > > you think? > > > > -- > > > > > > two words, disgruntled employee > > > > >=== > > > Ray Stell [EMAIL PROTECTED] (540) 231-4109 > > > KE4TJC28^D > > > -- > > > Please see the official ORACLE-L FAQ: > > > http://www.orafaq.com > > > -- > > > Author: Ray Stell > > > INET: [EMAIL PROTECTED] > > > > > > Fat City Network Services-- (858) 538-5051 FAX: > > > (858) 538-5051 > > > San Diego, California-- Public Internet > > > access / Mailing Lists > > > > > > > > To REMOVE yourself from this mailing list, send an > > > E-Mail message > > > to: [EMAIL PROTECTED] (note EXACT spelling of > > > 'ListGuru') and in > > > the message BODY, include a line containing: UNSUB > > > ORACLE-L > > > (or the name of mailing list you want to be removed > > > from). You may > > > also send the HELP command for other in
Re: security problem with 8i
Rachel Carmichael wrote: > and log in as system/manager > > I do what they ask me to, then take my old boss aside and explain (gently) > that he has a security hole in his "highly secured" system that I could > drive a truck through. you, my dear goddess, are way to kind.;-) -- Bill "Shrek" Thater Certifiable ORACLE DBA Telergy, Inc.[EMAIL PROTECTED] ~~ You gotta program like you don't need the money, You gotta compile like you'll never get hurt, You gotta run like there's nobody watching, It's gotta come from the heart if you want it to work. ~~ If a program is useful, it must be changed. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Thater, William INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
"Farnsworth, Dave" wrote: > > This is the way my current employers shop was. After I started here as a > SQL Server DBA I was told they want me to become the Oracle DBA for a new > third party app they were getting. They already had two other apps using > Oracle. These other apps were up and running for a couple of years. Within > the first couple of months of learning Oracle I was able to access the other > Oracle databases with the standard SYS and SYSTEM logins. These were > systems that at the time, I did not have access to. Well the next day, I > told damagement and now I have three Oracle systems. :) > > Dave some days it doesn't pay to open your mouth.;-) -- Bill "Shrek" Thater Certifiable ORACLE DBA Telergy, Inc.[EMAIL PROTECTED] ~~ You gotta program like you don't need the money, You gotta compile like you'll never get hurt, You gotta run like there's nobody watching, It's gotta come from the heart if you want it to work. ~~ If a program is useful, it must be changed. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Thater, William INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
nah, I LIKED this boss :) >From: "Thater, William" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> >Subject: Re: security problem with 8i >Date: Wed, 18 Jul 2001 09:02:52 -0800 > >Rachel Carmichael wrote: > > > and log in as system/manager > > > > I do what they ask me to, then take my old boss aside and explain >(gently) > > that he has a security hole in his "highly secured" system that I could > > drive a truck through. > >you, my dear goddess, are way to kind.;-) > > >-- >Bill "Shrek" Thater Certifiable ORACLE DBA >Telergy, Inc.[EMAIL PROTECTED] >~~ >You gotta program like you don't need the money, >You gotta compile like you'll never get hurt, >You gotta run like there's nobody watching, >It's gotta come from the heart if you want it to work. >~~ >If a program is useful, it must be changed. >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.com >-- >Author: Thater, William > INET: [EMAIL PROTECTED] > >Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 >San Diego, California-- Public Internet access / Mailing Lists > >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in >the message BODY, include a line containing: UNSUB ORACLE-L >(or the name of mailing list you want to be removed from). You may >also send the HELP command for other information (like subscribing). _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: security problem with 8i
Rachel Carmichael wrote: > > nah, I LIKED this boss :) never had one of those.;-) -- Bill "Shrek" Thater Certifiable ORACLE DBA Telergy, Inc.[EMAIL PROTECTED] ~~ You gotta program like you don't need the money, You gotta compile like you'll never get hurt, You gotta run like there's nobody watching, It's gotta come from the heart if you want it to work. ~~ If a program is useful, it must be changed. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Thater, William INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re[2]: security problem with 8i
Although there has been so much publicity of security "holes" in Oracle, in particular the listener, the one hole that really causes me concern is the default passwords for sys and system and/or using the username as a password. Over the past 2 years I've been to a few sites, like 4, at a friends request and/or on an interview where the manager said "show me" and each time I've been able to log onto the DB with any of the following: sys/change_on_install sys/sys system/system system/manager Now come on, this was an old V6 thing that we were suppose to do, and we're still not!! Dick Goulet Reply Separator Author: Ray Stell <[EMAIL PROTECTED]> Date: 7/18/2001 5:15 AM On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon Walthour wrote: > Listers: > > My client has asked me to look into this issue and determine if they should > be concerned about it or not. Since they don't have any db's directly > accessible from the Internet and since their LAN is very secure anyway, I'm > inclined to not apply any patches based on the premise that if it isn't a > necessary patch, don't apply it in fear of breaking something else. What do > you think? > -- two words, disgruntled employee === Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ray Stell INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re[2]: security problem with 8i
Brian, Humm, let me guess, SYSTEM right??? Some old concepts die so hard. Oracle 5 and earlier did not understand the idea of tablespaces, but had partitions with the system partition being the original and prime one. Now one could create other partitions, but that was 'risky' at best whereas Oracle provided a canned way to add a datafile to the system partition!!! Dick Goulet Reply Separator Author: "Brian McGraw" <[EMAIL PROTECTED]> Date: 7/18/2001 8:56 AM Ah, War stories... Reminds me (somewhat) of a company that I consulted, that had been suddently abandoned by its DBA in November, 1999 - anyone remember the Y2K panic?? They couldn't explan the CPU slowdown and lack of IO throughput. So I went on site, and their DBA with 5 years of experience had exactly 3 tablespaces in the system: TEMP, RBS, and SYSTEM. System was > 2GB and was composed of about 25 datafiles. Anyone care to guess where all of the db objects lived??? It was a production system, BTW. It's nice to feel like a miracle-worker sometimes. : ) Brian Rachel Carmichael wrote: > I would doubt he's joking. I've had simular experiences > > transferred to another department within the same company. Get a call from > my old boss "our dba is out sick, we HAVE to have this done today, this is a > highly secured system you have to help and make the changes from this pc" > > I go there, cannot log into the database with the username and password he > gives me. We call the dba (who was really sick), apologize and ask for the > username and password -- same as what I had. Still does not work. I stop, > think and say "let me try something" > > and log in as system/manager > > I do what they ask me to, then take my old boss aside and explain (gently) > that he has a security hole in his "highly secured" system that I could > drive a truck through. > > >From: paquette stephane <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> > >Subject: Re: Re[2]: security problem with 8i > >Date: Wed, 18 Jul 2001 07:25:48 -0800 > > > >Are you joking ? > > > > --- [EMAIL PROTECTED] a écrit : > Although there > >has been so much publicity of > > > security "holes" in Oracle, in > > > particular the listener, the one hole that really > > > causes me concern is the > > > default passwords for sys and system and/or using > > > the username as a password. > > > Over the past 2 years I've been to a few sites, like > > > 4, at a friends request > > > and/or on an interview where the manager said "show > > > me" and each time I've been > > > able to log onto the DB with any of the following: > > > > > > sys/change_on_install > > > sys/sys > > > system/system > > > system/manager > > > > > > Now come on, this was an old V6 thing that we were > > > suppose to do, and we're > > > still not!! > > > > > > Dick Goulet > > > > > > Reply > > > Separator > > > Author: Ray Stell <[EMAIL PROTECTED]> > > > Date: 7/18/2001 5:15 AM > > > > > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon > > > Walthour wrote: > > > > Listers: > > > > > > > > My client has asked me to look into this issue and > > > determine if they should > > > > be concerned about it or not. Since they don't > > > have any db's directly > > > > accessible from the Internet and since their LAN > > > is very secure anyway, I'm > > > > inclined to not apply any patches based on the > > > premise that if it isn't a > > > > necessary patch, don't apply it in fear of > > > breaking something else. What do > > > > you think? > > > > -- > > > > > > two words, disgruntled employee > > > > >=== > > > Ray Stell [EMAIL PROTECTED] (540) 231-4109 > > > KE4TJC28^D > > > -- > > > Please see the official ORACLE-L FAQ: > > > http://www.orafaq.com > > > -- > > > Author: Ray Stell > > > INET: [EMAIL PROTECTED] > > > > > > Fat City Network Services-- (858) 538-5051 FAX: > > > (858) 538-5051 > > > San Diego, California
Re: Re[2]: security problem with 8i
Are you joking ? --- [EMAIL PROTECTED] a écrit : > Although there has been so much publicity of > security "holes" in Oracle, in > particular the listener, the one hole that really > causes me concern is the > default passwords for sys and system and/or using > the username as a password. > Over the past 2 years I've been to a few sites, like > 4, at a friends request > and/or on an interview where the manager said "show > me" and each time I've been > able to log onto the DB with any of the following: > > sys/change_on_install > sys/sys > system/system > system/manager > > Now come on, this was an old V6 thing that we were > suppose to do, and we're > still not!! > > Dick Goulet > > Reply > Separator > Author: Ray Stell <[EMAIL PROTECTED]> > Date: 7/18/2001 5:15 AM > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon > Walthour wrote: > > Listers: > > > > My client has asked me to look into this issue and > determine if they should > > be concerned about it or not. Since they don't > have any db's directly > > accessible from the Internet and since their LAN > is very secure anyway, I'm > > inclined to not apply any patches based on the > premise that if it isn't a > > necessary patch, don't apply it in fear of > breaking something else. What do > > you think? > > -- > > two words, disgruntled employee > === > Ray Stell [EMAIL PROTECTED] (540) 231-4109 > KE4TJC28^D > -- > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > -- > Author: Ray Stell > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: > (858) 538-5051 > San Diego, California-- Public Internet > access / Mailing Lists > > To REMOVE yourself from this mailing list, send an > E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > the message BODY, include a line containing: UNSUB > ORACLE-L > (or the name of mailing list you want to be removed > from). You may > also send the HELP command for other information > (like subscribing). > -- > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: > (858) 538-5051 > San Diego, California-- Public Internet > access / Mailing Lists > > To REMOVE yourself from this mailing list, send an > E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > the message BODY, include a line containing: UNSUB > ORACLE-L > (or the name of mailing list you want to be removed > from). You may > also send the HELP command for other information > (like subscribing). = Stéphane Paquette DBA Oracle, consultant entrepôt de données Oracle DBA, datawarehouse consultant [EMAIL PROTECTED] ___ Do You Yahoo!? -- Vos albums photos en ligne, Yahoo! Photos : http://fr.photos.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?paquette=20stephane?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Re[2]: security problem with 8i
I would doubt he's joking. I've had simular experiences transferred to another department within the same company. Get a call from my old boss "our dba is out sick, we HAVE to have this done today, this is a highly secured system you have to help and make the changes from this pc" I go there, cannot log into the database with the username and password he gives me. We call the dba (who was really sick), apologize and ask for the username and password -- same as what I had. Still does not work. I stop, think and say "let me try something" and log in as system/manager I do what they ask me to, then take my old boss aside and explain (gently) that he has a security hole in his "highly secured" system that I could drive a truck through. >From: paquette stephane <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> >Subject: Re: Re[2]: security problem with 8i >Date: Wed, 18 Jul 2001 07:25:48 -0800 > >Are you joking ? > > --- [EMAIL PROTECTED] a écrit : > Although there >has been so much publicity of > > security "holes" in Oracle, in > > particular the listener, the one hole that really > > causes me concern is the > > default passwords for sys and system and/or using > > the username as a password. > > Over the past 2 years I've been to a few sites, like > > 4, at a friends request > > and/or on an interview where the manager said "show > > me" and each time I've been > > able to log onto the DB with any of the following: > > > > sys/change_on_install > > sys/sys > > system/system > > system/manager > > > > Now come on, this was an old V6 thing that we were > > suppose to do, and we're > > still not!! > > > > Dick Goulet > > > > Reply > > Separator > > Author: Ray Stell <[EMAIL PROTECTED]> > > Date: 7/18/2001 5:15 AM > > > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon > > Walthour wrote: > > > Listers: > > > > > > My client has asked me to look into this issue and > > determine if they should > > > be concerned about it or not. Since they don't > > have any db's directly > > > accessible from the Internet and since their LAN > > is very secure anyway, I'm > > > inclined to not apply any patches based on the > > premise that if it isn't a > > > necessary patch, don't apply it in fear of > > breaking something else. What do > > > you think? > > > -- > > > > two words, disgruntled employee > > >=== > > Ray Stell [EMAIL PROTECTED] (540) 231-4109 > > KE4TJC28^D > > -- > > Please see the official ORACLE-L FAQ: > > http://www.orafaq.com > > -- > > Author: Ray Stell > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- (858) 538-5051 FAX: > > (858) 538-5051 > > San Diego, California-- Public Internet > > access / Mailing Lists > > > > > To REMOVE yourself from this mailing list, send an > > E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of > > 'ListGuru') and in > > the message BODY, include a line containing: UNSUB > > ORACLE-L > > (or the name of mailing list you want to be removed > > from). You may > > also send the HELP command for other information > > (like subscribing). > > -- > > Please see the official ORACLE-L FAQ: > > http://www.orafaq.com > > -- > > Author: > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- (858) 538-5051 FAX: > > (858) 538-5051 > > San Diego, California-- Public Internet > > access / Mailing Lists > > > > > To REMOVE yourself from this mailing list, send an > > E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of > > 'ListGuru') and in > > the message BODY, include a line containing: UNSUB > > ORACLE-L > > (or the name of mailing list you want to be removed > > from). You may > > also send the HELP command for other information > > (like subscribing). > >= >Stéphane Paquette >DBA Oracle, consultant entrepôt de données >Oracle DBA, datawarehouse consultant >[EMAIL PROTECTED] > >
RE: Re[2]: security problem with 8i
This is the way my current employers shop was. After I started here as a SQL Server DBA I was told they want me to become the Oracle DBA for a new third party app they were getting. They already had two other apps using Oracle. These other apps were up and running for a couple of years. Within the first couple of months of learning Oracle I was able to access the other Oracle databases with the standard SYS and SYSTEM logins. These were systems that at the time, I did not have access to. Well the next day, I told damagement and now I have three Oracle systems. :) Dave -Original Message- Sent: Wednesday, July 18, 2001 11:13 AM To: Multiple recipients of list ORACLE-L I would doubt he's joking. I've had simular experiences transferred to another department within the same company. Get a call from my old boss "our dba is out sick, we HAVE to have this done today, this is a highly secured system you have to help and make the changes from this pc" I go there, cannot log into the database with the username and password he gives me. We call the dba (who was really sick), apologize and ask for the username and password -- same as what I had. Still does not work. I stop, think and say "let me try something" and log in as system/manager I do what they ask me to, then take my old boss aside and explain (gently) that he has a security hole in his "highly secured" system that I could drive a truck through. >From: paquette stephane <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> >Subject: Re: Re[2]: security problem with 8i >Date: Wed, 18 Jul 2001 07:25:48 -0800 > >Are you joking ? > > --- [EMAIL PROTECTED] a écrit : > Although there >has been so much publicity of > > security "holes" in Oracle, in > > particular the listener, the one hole that really > > causes me concern is the > > default passwords for sys and system and/or using > > the username as a password. > > Over the past 2 years I've been to a few sites, like > > 4, at a friends request > > and/or on an interview where the manager said "show > > me" and each time I've been > > able to log onto the DB with any of the following: > > > > sys/change_on_install > > sys/sys > > system/system > > system/manager > > > > Now come on, this was an old V6 thing that we were > > suppose to do, and we're > > still not!! > > > > Dick Goulet > > > > Reply > > Separator > > Author: Ray Stell <[EMAIL PROTECTED]> > > Date: 7/18/2001 5:15 AM > > > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon > > Walthour wrote: > > > Listers: > > > > > > My client has asked me to look into this issue and > > determine if they should > > > be concerned about it or not. Since they don't > > have any db's directly > > > accessible from the Internet and since their LAN > > is very secure anyway, I'm > > > inclined to not apply any patches based on the > > premise that if it isn't a > > > necessary patch, don't apply it in fear of > > breaking something else. What do > > > you think? > > > -- > > > > two words, disgruntled employee > > >=== > > Ray Stell [EMAIL PROTECTED] (540) 231-4109 > > KE4TJC28^D > > -- > > Please see the official ORACLE-L FAQ: > > http://www.orafaq.com > > -- > > Author: Ray Stell > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- (858) 538-5051 FAX: > > (858) 538-5051 > > San Diego, California-- Public Internet > > access / Mailing Lists > > > > > To REMOVE yourself from this mailing list, send an > > E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of > > 'ListGuru') and in > > the message BODY, include a line containing: UNSUB > > ORACLE-L > > (or the name of mailing list you want to be removed > > from). You may > > also send the HELP command for other information > > (like subscribing). > > -- > > Please see the official ORACLE-L FAQ: > > http://www.orafaq.com > > -- > > Author: > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- (858) 538-5051 FAX: > > (858) 538-5051 > > San Diego, California-- Public Internet > > access / Mailing Lists > &g
RE: Re[2]: security problem with 8i
Oh yeah! I've got one even better! When I joined a previous company, their *Web-accessible* application's administration username/password was admin/admin! Their production Oracle DB - accessed via the admin/admin "protected" app - had system/manager and mps/mps (mps stands for Main Production Schema), plus all the usual default schemas like ctxsys/ctxsys... Needless to say, I closed those holes pretty quickly! Jack Jack C. Applewhite Database Administrator/Developer OCP Oracle8 DBA iNetProfit, Inc. Austin, Texas www.iNetProfit.com [EMAIL PROTECTED] (512)327-9068 -Original Message- Carmichael Sent: Wednesday, July 18, 2001 11:13 AM To: Multiple recipients of list ORACLE-L I would doubt he's joking. I've had simular experiences transferred to another department within the same company. Get a call from my old boss "our dba is out sick, we HAVE to have this done today, this is a highly secured system you have to help and make the changes from this pc" I go there, cannot log into the database with the username and password he gives me. We call the dba (who was really sick), apologize and ask for the username and password -- same as what I had. Still does not work. I stop, think and say "let me try something" and log in as system/manager I do what they ask me to, then take my old boss aside and explain (gently) that he has a security hole in his "highly secured" system that I could drive a truck through. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jack C. Applewhite INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Re[2]: security problem with 8i
Not at all. Just last week I had a vendor who came in to install a package. They were very upset because SYS didn't have the "standard" password and their install script wouldn't work. I questioned their use of the SYS schema for the installation but powers wiser than me had me change the SYS password to the "standard" value and leave the room. Hey, it's a job. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Re[2]: security problem with 8i
My old job had never changed any of the default passwords. And the reason why standard passwords are kept is because it is 'easy to remember'. Go figure... -Original Message- Sent: Wednesday, July 18, 2001 1:48 PM To: Multiple recipients of list ORACLE-L Not at all. Just last week I had a vendor who came in to install a package. They were very upset because SYS didn't have the "standard" password and their install script wouldn't work. I questioned their use of the SYS schema for the installation but powers wiser than me had me change the SYS password to the "standard" value and leave the room. Hey, it's a job. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
OT RE: Re[2]: security problem with 8i
there's also the ALL POWERFUL scott/tiger account to consider! -Original Message- Sent: Wednesday, July 18, 2001 11:07 AM To: Multiple recipients of list ORACLE-L Although there has been so much publicity of security "holes" in Oracle, in particular the listener, the one hole that really causes me concern is the default passwords for sys and system and/or using the username as a password. Over the past 2 years I've been to a few sites, like 4, at a friends request and/or on an interview where the manager said "show me" and each time I've been able to log onto the DB with any of the following: sys/change_on_install sys/sys system/system system/manager Now come on, this was an old V6 thing that we were suppose to do, and we're still not!! Dick Goulet Reply Separator Author: Ray Stell <[EMAIL PROTECTED]> Date: 7/18/2001 5:15 AM On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon Walthour wrote: > Listers: > > My client has asked me to look into this issue and determine if they should > be concerned about it or not. Since they don't have any db's directly > accessible from the Internet and since their LAN is very secure anyway, I'm > inclined to not apply any patches based on the premise that if it isn't a > necessary patch, don't apply it in fear of breaking something else. What do > you think? > -- two words, disgruntled employee === Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ray Stell INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re[2]: Re[2]: security problem with 8i
I wish I was. Reply Separator Author: =?iso-8859-1?q?paquette=20stephane?= <[EMAIL PROTECTED]> Date: 7/18/2001 7:25 AM Are you joking ? --- [EMAIL PROTECTED] a écrit : > Although there has been so much publicity of > security "holes" in Oracle, in > particular the listener, the one hole that really > causes me concern is the > default passwords for sys and system and/or using > the username as a password. > Over the past 2 years I've been to a few sites, like > 4, at a friends request > and/or on an interview where the manager said "show > me" and each time I've been > able to log onto the DB with any of the following: > > sys/change_on_install > sys/sys > system/system > system/manager > > Now come on, this was an old V6 thing that we were > suppose to do, and we're > still not!! > > Dick Goulet > > Reply > Separator > Author: Ray Stell <[EMAIL PROTECTED]> > Date: 7/18/2001 5:15 AM > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon > Walthour wrote: > > Listers: > > > > My client has asked me to look into this issue and > determine if they should > > be concerned about it or not. Since they don't > have any db's directly > > accessible from the Internet and since their LAN > is very secure anyway, I'm > > inclined to not apply any patches based on the > premise that if it isn't a > > necessary patch, don't apply it in fear of > breaking something else. What do > > you think? > > -- > > two words, disgruntled employee > === > Ray Stell [EMAIL PROTECTED] (540) 231-4109 > KE4TJC28^D > -- > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > -- > Author: Ray Stell > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: > (858) 538-5051 > San Diego, California-- Public Internet > access / Mailing Lists > > To REMOVE yourself from this mailing list, send an > E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > the message BODY, include a line containing: UNSUB > ORACLE-L > (or the name of mailing list you want to be removed > from). You may > also send the HELP command for other information > (like subscribing). > -- > Please see the official ORACLE-L FAQ: > http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: > (858) 538-5051 > San Diego, California-- Public Internet > access / Mailing Lists > > To REMOVE yourself from this mailing list, send an > E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of > 'ListGuru') and in > the message BODY, include a line containing: UNSUB > ORACLE-L > (or the name of mailing list you want to be removed > from). You may > also send the HELP command for other information > (like subscribing). = Stéphane Paquette DBA Oracle, consultant entrepôt de données Oracle DBA, datawarehouse consultant [EMAIL PROTECTED] ___ Do You Yahoo!? -- Vos albums photos en ligne, Yahoo! Photos : http://fr.photos.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?paquette=20stephane?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re[2]: Re[2]: security problem with 8i
In my book, it was a job. Reply Separator Author: [EMAIL PROTECTED] Date: 7/18/2001 9:48 AM Not at all. Just last week I had a vendor who came in to install a package. They were very upset because SYS didn't have the "standard" password and their install script wouldn't work. I questioned their use of the SYS schema for the installation but powers wiser than me had me change the SYS password to the "standard" value and leave the room. Hey, it's a job. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OT RE: Re[2]: security problem with 8i
Ross, You can get into all of my databases that way, including the enterprise SAP database. Wonderful huh? Changing passwords around is on my todo list, but it's often not as simple as just changing it. There may be other ramifications, like it's a FailSafe database for instance. Or a 3rd party duhveloper installed the software and set everyone up to run as SYSTEM. Brilliant. Jared On Wednesday 18 July 2001 08:20, Mohan, Ross wrote: > > Although there has been so much publicity of security "holes" in > Oracle, in > particular the listener, the one hole that really causes me concern is the > default passwords for sys and system and/or using the username as a > password. > Over the past 2 years I've been to a few sites, like 4, at a friends > request and/or on an interview where the manager said "show me" and each > time I've been > able to log onto the DB with any of the following: > > sys/change_on_install > sys/sys > system/system > system/manager > > Now come on, this was an old V6 thing that we were suppose to do, and we're > still not!! > > Dick Goulet > > Reply Separator > Author: Ray Stell <[EMAIL PROTECTED]> > Date: 7/18/2001 5:15 AM > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon Walthour wrote: > > Listers: > > > > My client has asked me to look into this issue and determine if they > > should > > > be concerned about it or not. Since they don't have any db's directly > > accessible from the Internet and since their LAN is very secure anyway, > > I'm > > > inclined to not apply any patches based on the premise that if it isn't a > > necessary patch, don't apply it in fear of breaking something else. What > > do > > > you think? > > -- > > two words, disgruntled employee > === > Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OT RE: Re[2]: security problem with 8i
JS, I think DG did this and mail got crossed. HTH, RM -Original Message- Sent: Wednesday, July 18, 2001 11:51 AM To: Multiple recipients of list ORACLE-L Ross, You can get into all of my databases that way, including the enterprise SAP database. Wonderful huh? Changing passwords around is on my todo list, but it's often not as simple as just changing it. There may be other ramifications, like it's a FailSafe database for instance. Or a 3rd party duhveloper installed the software and set everyone up to run as SYSTEM. Brilliant. Jared On Wednesday 18 July 2001 08:20, Mohan, Ross wrote: > > Although there has been so much publicity of security "holes" in > Oracle, in > particular the listener, the one hole that really causes me concern is the > default passwords for sys and system and/or using the username as a > password. > Over the past 2 years I've been to a few sites, like 4, at a friends > request and/or on an interview where the manager said "show me" and each > time I've been > able to log onto the DB with any of the following: > > sys/change_on_install > sys/sys > system/system > system/manager > > Now come on, this was an old V6 thing that we were suppose to do, and we're > still not!! > > Dick Goulet > > Reply Separator > Author: Ray Stell <[EMAIL PROTECTED]> > Date: 7/18/2001 5:15 AM > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon Walthour wrote: > > Listers: > > > > My client has asked me to look into this issue and determine if they > > should > > > be concerned about it or not. Since they don't have any db's directly > > accessible from the Internet and since their LAN is very secure anyway, > > I'm > > > inclined to not apply any patches based on the premise that if it isn't a > > necessary patch, don't apply it in fear of breaking something else. What > > do > > > you think? > > -- > > two words, disgruntled employee > === > Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).