One general Oracle networking hole that I spotted the other day in the
patch database was to stop unpassword protected listeners having their
log file redirected at unsuspecting files owned by the Oracle user.

Thus if no password on the listener, anyone could request it to write
it's log over any file owned by the appropriate user.

That said I found lots of issues like this with Net8 before I discovered
how to lock down Oracle networking. I doubt many people have these all
lovingly locked down as the expertise on the topic was surprising
scarce, especially Oracle nameserver, I learnt it for the project and
have conveniently forgotten as much as possible.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]