Database Reference
In-Depth Information
trace_level_client=support
trace_directory_client=<user's home directory>
and restarting the application, the clear text password may be retrieved from the trace file.
1
[28-NOV-2007 23:10:54:156] nspsend: 00 2E 42 45 47 49 4E 20 |..BEGIN.|
[28-NOV-2007 23:10:54:156] nspsend: 64 62 6D 73 5F 73 65 73 |dbms_ses|
[28-NOV-2007 23:10:54:156] nspsend: 73 69 6F 6E 2E 73 65 74 |sion.set|
[28-NOV-2007 23:10:54:156] nspsend: 5F 72 6F 6C 65 28 3A 72 |_role(:r|
[28-NOV-2007 23:10:54:156] nspsend: 6F 6C 65 5F 63 6D 64 29 |ole_cmd)|
[28-NOV-2007 23:10:54:156] nspsend: 3B 20 45 4E 44 3B 0A 00 |;.END;..|
[28-NOV-2007 23:10:54:156] nspsend: 01 00 00 00 01 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 08 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 01 01 03 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 32 00 00 00 00 00 00 |.2......|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 00 00 00 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 B2 00 01 |........|
[28-NOV-2007 23:10:54:156] nspsend: 00 00 00 00 00 07 1F 61 |.......a|
[28-NOV-2007 23:10:54:156] nspsend: 70 70 72 6F 6C 65 20 69 |pprole.i|
[28-NOV-2007 23:10:54:156] nspsend: 64 65 6E 74 69 66 69 65 |dentifie|
[28-NOV-2007 23:10:54:156] nspsend: 64 20 62 79 20 74 6F 70 |d.by.top|
[28-NOV-2007 23:10:54:156] nspsend: 73 65 63 72 65 74 |secret |
The safe way to implement privileges, which are only available when connecting with an
application, is to use proxy authentication in conjunction with Oracle Internet Directory and
secure application roles.
Of course, the same vulnerability also applies to
CREATE
USER
user_name
IDENTIFIED
BY
password
. This statement also sends the password in clear text.
[08-SEP-2007 09:28:23:864] nspsend: 08 23 43 52 45 41 54 45 |.#CREATE|
[08-SEP-2007 09:28:23:864] nspsend: 20 55 53 45 52 20 68 72 |.USER.hr|
[08-SEP-2007 09:28:23:864] nspsend: 20 49 44 45 4E 54 49 46 |.IDENTIF|
[08-SEP-2007 09:28:23:864] nspsend: 49 45 44 20 42 59 20 73 |IED.BY.s|
[08-SEP-2007 09:28:23:864] nspsend: 65 63 72 65 74 01 00 00 |ecret...|
Hence you should create users as externally identified and then change the password with
the SQL*Plus command
PASSWORD
.
The naming convention for Oracle Net trace files is
cli_spid.trc
, where
spid
is the client process identifier.
1.