[7827] in bugtraq
Re: Hole in Oracle Server/Developer 2000 - authentication
daemon@ATHENA.MIT.EDU (Andrew Finkenstadt)
Mon Aug 31 18:00:34 1998
Date: Mon, 31 Aug 1998 14:18:33 -0500
Reply-To: kahuna@icon-stl.net
From: Andrew Finkenstadt <kahuna@ICON-STL.NET>
X-To: yarony@yarony.il.eu.org
To: BUGTRAQ@NETSPACE.ORG
Exactly as defined in "Understanding SQL*Net" Oracle documentation part number
A42484-1.
The reason given, is when talking with older SQL*Net servers the password was
passed in the clear. Newer SQL*Net servers understand encrypted passwords.
Properly configured SQL*Net networks done by a trained DBA will never leave
unencrypted password transmission enabled in the Oracle Network Manager
software.
The reason why the password is sent in clear text is to support "operating
system authenticated logins". Usually the password is "/" in this case.
Solution: get your university to configure their Oracle installations to not
support plaintext passwords.
Andy Finkenstadt
oracle guru
http://support.us.oracle.com has more information about Oracle.
Yaron Yanay wrote:
> So the protocol is:
>
> 1) sending username
> 2) if username is invalid:
> a) send password in clear text
> if username is valid:
> b) send encrypted password.
> if password is incorrect:
> send the password again in _clear text_
>
> I hope this will be fixed soon by the company (if anyone knows how to
> notify them, please do).
