[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Hole in Oracle Server/Developer 2000 - authentication
From:       Andrew Finkenstadt <kahuna () icon-stl ! net>
Date:       1998-08-31 19:18:33
[Download RAW message or body]

Exactly as defined in "Understanding SQL*Net" Oracle documentation part number
A42484-1.

The reason given, is when talking with older SQL*Net servers the password was
passed in the clear.  Newer SQL*Net servers understand encrypted passwords.
Properly configured SQL*Net networks done by a trained DBA will never leave
unencrypted password transmission enabled in the Oracle Network Manager
software.

The reason why the password is sent in clear text is to support "operating
system authenticated logins".  Usually the password is "/" in this case.

Solution: get your university to configure their Oracle installations to not
support plaintext passwords.

Andy Finkenstadt
oracle guru

http://support.us.oracle.com has more information about Oracle.

Yaron Yanay wrote:
> So the protocol is:
>
> 1) sending username
> 2) if username is invalid:
>         a) send password in clear text
>    if username is valid:
>         b) send encrypted password.
>            if password is incorrect:
>                 send the password again in _clear text_
>
> I hope this will be fixed soon by the company (if anyone knows how to
> notify them, please do).

[prev in list] [next in list] [prev in thread] [next in thread]