[20763] in bugtraq
Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator
daemon@ATHENA.MIT.EDU (Pavel Machek)
Fri May 25 12:31:30 2001
Date: Wed, 23 May 2001 17:43:22 +0000
From: Pavel Machek <pavel@ucw.cz>
To: Oracle Security Alerts <secalert_us@oracle.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20010523174321.A120@toy.ucw.cz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <3B0AB855.A108F5C5@oracle.com>; from secalert_us@oracle.com on Tue, May 22, 2001 at 12:04:54PM -0700
Hi!
> Post date: 05/22/01
>
> Vulnerability in Oracle E-Business Suite Release 11i Applications
> Desktop Integrator
>
> Overview
> A potential security vulnerability has been discovered in Applications
> Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release
> 11i. A debug version of the FNDPUB11I.DLL was inadvertently released
> with a patch to Applications Desktop Integrator (ADI) version 7.X. This
> DLL writes a debug file to the client machine that includes the clear
> text APPS schema password. A malicious user could use this DLL to obtain
> the APPS schema password and thereby gain elevated privileges.
...
> Solution
> The debug version of FNDPUB11I.DLL has been replaced with a production
> version. In addition, a patch is available that introduces an enhanced
> security feature, Application Server Security, to prevent the debug DLL
> from connecting to the database. The complete solution to this
Is it just me or does this sound like "security by obscurity"? What if I
sit down and write evil PAVEL11I.DLL that *looks* like production one
but dumps passwords as debug one?
Looks to me like either *) server patch is unnecessary or *) you have
security hole, anyway.
Pavel
--
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.
