Everhart, Glenn
From:	James Kivisild [kivisild@MAILHOST.TCS.TULANE.EDU]
Sent:	Thursday, March 04, 1999 3:16 AM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Oracle Plaintext Password
        I apologize if this has been mentioned before, however I haven't had any
time to pursue this issue with any vigor.

        I recently installed Oracle 8.0.3 Enterprise Edition on an NT 4.0
Workstation and I noticed a particular feature within Oracle Database
Assistant v1.0 that might be of some interest/concern.

        During the creation of an Oracle database, the Database Assistant lets you
create either a custom or typical(default) database. If you select "custom"
database, you must enter a master password that controls the administrative
features in the database. If you select "typical", this password defaults to
'oracle'.

        As the database is created, the Server Manager reports all activities to a
log file. This log file, "\orant\database\spoolmain.log", even logs the
master password as it connects to the server to continue the setup. The
entry is as follows:

Echo                            ON
SVRMGR> connect INTERNAL/MYPASSWORD
Connected.

        Not only is this password in plaintext, but the file has permissions that
enable anyone to view it. (owned by Admins, but full control for everyone)
I believe the setup informs you that the file exists and should be checked
for errors, but I didn't find any other reference to it in the
documentation.

        The log does get overwritten each time you create a new database, however
that just limits the number of plaintext passwords to one. Once again, I
haven't had time to look into this, but it seems like a potential problem
worth mentioning.


-James Kivisild