Date: Fri, 18 Jan 2002 11:30:43 -0800
From: "bugtraq@t-swat.com"
To: Jonathan A. Zdziarski
Cc: bugtraq@securityfocus.com
Subject: RE: Breakable
Jonathan-
Just a couple of points:
To clarify, the "host" command is client-based. For instance, when I
SQLPLUS into a remote database, and I use the host command, it breaks me
out into the directory of the local machine, not the server you're
connected into. Same goes for any local shell commands. I don't see that
as being a security risk.
As to the System and Sys accounts having defaulted passwords, the last time
I installed 9i it made me change them at the time of install. The accounts
were also locked, and not accessible, until I went in as INTERNAL and
modified them. I find this to be somewhat acceptable behaviour.
As to the other accounts (SCOTT/TIGER, etc.), that is a good point, but
covered quite clearly in the "how to secure your database" documentation.
I think it comes right down to the fact that Oracle is an extremely
complex, yet powerful database, and anyone that is going to do any kind of
professional development with it or use it in a "public" environment (as in
exposed to the world) should understand how to use auditing, and lock out
or remove unwanted accounts, and how to architect applications, systems,
and security appropriately. When you currently perform a default install
of Oracle, it is in a "relatively" secure, yet "easy" to use config that
allows people to explore and learn about it without having to figure out
how to unlock it first.
I think that anyone who is not familiar with Oracle and yet implements it
in a vulnerable place without taking the appropriate cautions is almost
deserving to be hacked. (This ain't your fathers Access database!)
$0.02
...jeff
