[23921] in bugtraq
Re: Breakable
daemon@ATHENA.MIT.EDU (uid0@catastrophe.net)
Mon Jan 21 19:06:08 2002
Date: Fri, 18 Jan 2002 14:29:43 -0600
From: uid0@catastrophe.net
To: "Jonathan A. Zdziarski" <jonathan@cafejesus.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20020118142943.Y13910@catastrophe.net>
Mail-Followup-To: "Jonathan A. Zdziarski" <jonathan@cafejesus.com>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000001c19f87$62df0970$0200000a@7lxf9yuvk>; from jonathan@cafejesus.com on Thu, Jan 17, 2002 at 01:47:16PM -0500
On Thu, 2002-01-17 at 13:47:16 -0500, Jonathan A. Zdziarski wrote...
; 2. The database comes with a handfull of pre-existing "demo" accounts
; with preset passwords (e.g. SCOTT/TIGER, and a few others).
True, but linuxes now come with accounts susceptible to being owned by SSHD
exploits (the "!!" as passwords).
; 3. Shell commands can by default be executed by a connected sqlplus
; user, without any
; particularly special privileges. For example:
;
; SQL> !pwd
; /export/home/jonz
;
; SQL> host
; $
You're local at this point -- just as you can break out of ftp clients.
; 4. Auditing is turned off by default
As it is under most UNIXes.
It seems like the whole argument about this is "best practice", and in that
regard, no - you shouldn't be putting databases out there UNLESS you have a
clue. And if not, get owned.
It's one thing to make comments on an end-user operating system such as
certain Microsoft products (if not all), but Oracle is intended to be run in
production, on wonderful hardware, with lots of money paid. Surely you
wouldn't hire some junior administrator to install and configure it. And if
so, you get what you pay for.
-#0
