Date: Fri, 18 Jan 2002 11:30:43 -0800
From: "bugtraq@t-swat.com" <bugtraq@t-swat.com>
To: Jonathan A. Zdziarski <jonathan@cafejesus.com>
Cc: bugtraq@securityfocus.com
Subject: RE: Breakable

Jonathan-

Just a couple of points:

To clarify, the "host" command is client-based.  For instance, when I 
SQLPLUS into a remote database, and I use the host command, it breaks me 
out into the directory of the local machine, not the server you're 
connected into.  Same goes for any local shell commands.  I don't see that 
as being a security risk.

As to the System and Sys accounts having defaulted passwords, the last time 
I installed 9i it made me change them at the time of install.  The accounts 
were also locked, and not accessible, until I went in as INTERNAL and 
modified them.  I find this to be somewhat acceptable behaviour.

As to the other accounts (SCOTT/TIGER, etc.), that is a good point, but 
covered quite clearly in the "how to secure your database" documentation.


I think it comes right down to the fact that Oracle is an extremely 
complex, yet powerful database, and anyone that is going to do any kind of 
professional development with it or use it in a "public" environment (as in 
exposed to the world) should understand how to use auditing, and lock out 
or remove unwanted accounts, and how to architect applications, systems, 
and security appropriately.  When you currently perform a default install 
of Oracle, it is in a "relatively" secure, yet "easy" to use config that 
allows people to explore and learn about it without having to figure out 
how to unlock it first.

I think that anyone who is not familiar with Oracle and yet implements it 
in a vulnerable place without taking the appropriate cautions is almost 
deserving to be hacked.  (This ain't your fathers Access database!)


$0.02


...jeff