Oracle ADI Plain Text Password Storage Vulnerability

Oracle Application Desktop Integrator (ADI) is part of the Oracle Financial Applications. ADI is a software package designed to allow desktop users to manipulate the database from a personal computer.

A problem in this software package could allow access to plain text passwords. The ADI package queries the database for the encrypted password, and decrypts it at the local system, thus allowing the ADI user to log into the database. However, this password is stored in a plain text file.

This makes it possible for a local user to gain access to the APPS Schema password, and potentially full access to the database.


Privacy Statement
Copyright 2010, SecurityFocus