OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Melanie Abbas (abbasUNI.EDU)
Date: Mon May 07 2001 - 08:12:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The version of ADI (Application Desktop Integrator) 7.1.1.10.1 which was
    recently shipped with Oracle's Financial Applications version 11.5.3
    contains a major security breach.

    Whenever the software is launched, it creates a file called dbg.txt on the
    local hard drive on the system which contains in PLAIN TEXT the usernames
    and passwords for both the application user and the APPS schema!

    To explain further:
    The software runs on Windows systems and uses the net8 client to talk to
    the database, however, user's logon as their application ID and password,
    not directly to the database.

    In order for this to work, the application goes to the database with a
    public username/password that must never be changed for the application to
    function. The username/password is APPLYSYSPUB and the password is PUB
    (this is openly documented). This database account is able to find the
    APPS schema and encrypted password in the database. It then unencrypts the
    password and uses it to connect to the database. It has always done this
    in order to function, however, for some reason, this release creates what
    appears to be a debug file on the local hard drive and stores this
    information in PLAIN TEXT!

    Since release 11 (I believe) all access to the database for the financial
    applications is done by the APPS schema. Thus, the APPS schema has full
    control of all the tables within the database!

    I have opened a technical assistance request with Oracle and they are
    working on a fix. It is apparantly some code that is in the fndpub11i.dll
    that was delivered with the 7.1.1.10.1 version. They suggest we get an
    earlier release and use the fndpub11i.dll from that version or wait for
    the newer release which should be out soon.

    So, if you use ADI, or have locations where users have a net8 client
    connection to your financials database, do NOT install the 7.1.1.10.1
    version! Also be aware that if your users have access to Metalink, the
    offending version is still available for download!

    --
    Melanie Abbas
    Oracle Application Administrator - ITS
    University of Northern Iowa
    
    Be content with such things as you have. For God himself has said, I shall
    never leave you nor forsake you.	-Hebrews 13:5
    

    Office: GIL 255 Regular hours: 8:00-5:00 Phone: 273-6452 Fax: 273-5836 Beeper: 833-4489