Database Reference
In-Depth Information
trace_level_client=support
trace_directory_client=c:\temp
After running the SQL statement ALTER USER ndebes IDENTIFIED BY secret , the trace file
contains the unencrypted password.
[28-SEP-2007 18:07:38:305] nspsend: 00 26 41 4C 54 45 52 20 |.&ALTER.|
[28-SEP-2007 18:07:38:305] nspsend: 55 53 45 52 20 6E 64 65 |USER.nde|
[28-SEP-2007 18:07:38:305] nspsend: 62 65 73 20 49 44 45 4E |bes.IDEN|
[28-SEP-2007 18:07:38:305] nspsend: 54 49 46 49 45 44 20 42 |TIFIED.B|
[28-SEP-2007 18:07:38:305] nspsend: 59 20 73 65 63 72 65 74 |Y.secret|
This vulnerability does not apply to the SQL*Plus command PASSWORD , as is evident from
the Oracle Net trace file. After changing a password in the following manner:
SQL> PASSWORD ndebes
Changing password for ndebes
New password:
Retype new password:
Password changed
you will notice an encrypted password in the trace file.
[28-SEP-2007 18:12:17:602] nspsend: 06 6E 64 65 62 65 73 10 |.ndebes.|
[28-SEP-2007 18:12:17:602] nspsend: 00 00 00 10 41 55 54 48 |....AUTH|
[28-SEP-2007 18:12:17:602] nspsend: 5F 4E 45 57 50 41 53 53 |_NEWPASS|
[28-SEP-2007 18:12:17:602] nspsend: 57 4F 52 44 40 00 00 00 |WORD@...|
[28-SEP-2007 18:12:17:602] nspsend: 40 44 38 36 38 43 39 36 |@D868C96|
[28-SEP-2007 18:12:17:602] nspsend: 41 42 34 43 42 37 39 39 |AB4CB799|
[28-SEP-2007 18:12:17:602] nspsend: 36 41 44 34 31 36 36 31 |6AD41661|
[28-SEP-2007 18:12:17:602] nspsend: 32 44 43 41 36 46 42 37 |2DCA6FB7|
[28-SEP-2007 18:12:17:602] nspsend: 43 46 44 39 35 41 35 33 |CFD95A53|
[28-SEP-2007 18:12:17:602] nspsend: 34 35 33 41 45 35 34 39 |453AE549|
[28-SEP-2007 18:12:17:602] nspsend: 35 36 39 34 46 45 37 36 |5694FE76|
[28-SEP-2007 18:12:17:602] nspsend: 36 33 31 38 44 43 43 43 |6318DCCC|
[28-SEP-2007 18:12:17:602] nspsend: 31 00 00 00 00 0D 00 00 |1.......|
[28-SEP-2007 18:12:17:602] nspsend: 00 0D 41 55 54 48 5F 50 |..AUTH_P|
[28-SEP-2007 18:12:17:602] nspsend: 41 53 53 57 4F 52 44 00 |ASSWORD.|
Search WWH ::




Custom Search