Name Oracle JDeveloper Plaintext Passwords
Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
Severity Low Risk
Category Information Disclosure of Passwords
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 13 July 2005 (V 1.00)
Advisory AKSEC2003-006
Oracle Vuln# AS10
Time to fix 148 days
Details
#######
The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml and
settings.xml contain unencrypted database passwords.
Examples
########
1. Plaintext-Password in IDEConnections.xml
Patch Information
#################
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink
Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC).
History
#######
14-feb-2005 Oracle secalert_us was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory
Oracle JDeveloper Plaintext Passwords
Name Oracle JDeveloper Plaintext Passwords
Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2
Severity Low Risk
Category Information Disclosure of Passwords
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 13 July 2005 (V 1.00)
Advisory AKSEC2003-006
Oracle Vuln# AS10
Time to fix 148 days
Details
#######
The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml and
settings.xml contain unencrypted database passwords.
Examples
########
1. Plaintext-Password in IDEConnections.xml
<connection>
<JDBC_PORT>1521</JDBC_PORT>
<ConnectionType>JDBC</ConnectionType>
<HOSTNAME>picard</HOSTNAME>
<DeployPassword>true</DeployPassword>
<user>system</user>
<ConnectionName>ConnectionAlex2</ConnectionName>
<SID>ora10103</SID>
<JdbcDriver>oracle.jdbc.driver.OracleDriver</JdbcDriver>
<password>mysupersecretpassword1</password>
<ORACLE_JDBC_TYPE>thin</ORACLE_JDBC_TYPE>
</connection>
2. Plaintext-Password in XSQLConfig.xml
<connection name="ConnectionAlex1">
<username>system</username>
<password>mysupersecretpassword1</password>
<dburl>jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=T
CP)
(HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103)))</dburl>
<driver>oracle.jdbc.driver.OracleDriver</driver>
</connection>
3. Plaintext-Password of OTN Account in settings.xml
<Item>
<Key>oracle.ideimpl.update.wizard.AuthInfo</Key>
<Value class="oracle.ideimpl.update.wizard.AuthInfo">
<password>mysupersecretpassword1</password>
<passwordRemembered>true</passwordRemembered>
<userName>email (at) email (dot) com [email concealed]</userName>
</Value>
</Item>
Patch Information
#################
Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink
Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC).
History
#######
14-feb-2005 Oracle secalert_us was informed
14-feb-2005 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
12-jul-2005 Red-Database-Security published this advisory
© 2005 by Red-Database-Security GmbH
[ reply ]