Oracle HTML DB Plaintext Password Storage Vulnerability

Oracle HTML DB is prone to a plaintext password storage vulnerability.

During a manual install, the application stores the password of the 'SYS' user in a plaintext file on the filesystem. A local attacker may access this file and retrieve the password followed by gaining administrative access to the application.

This issue was originally described and addressed in Oracle Critical Patch Update - April 2005, BID 13139 (Oracle Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a separate BID.


Privacy Statement
Copyright 2010, SecurityFocus