Bugtraq mailing list archives
Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator
From: "David Howe" <DaveHowe () Bigfoot com>
Date: Fri, 25 May 2001 17:42:25 +0100
"Pavel Machek" <pavel () ucw cz> said:
Is it just me or does this sound like "security by obscurity"? What if I sit down and write evil PAVEL11I.DLL that *looks* like production one but dumps passwords as debug one?
Then you will have the passwords. however, if you can do this anyhow, you can compromise *any* program you can sufficiently understand the interface to (look for a dll that gets password information as an argument and rewrite it to dump it elsewhere; I suspect there are a lot of these about) there have also been a *lot* of programs where the patched version is only a single file (dll or exe). in almost all cases, overwriting the updated file with the old one will reenable the vunerability; this is to be expected with the way windows handles DLLs, and there isn't much you can do about it. it doesn't mean the patch is worthless though, as you shouldn't be allowing random replacements of DLLs anyhow (particuarly ones to security-sensitive programs).
Current thread:
- Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Oracle Security Alerts (May 22)
- Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Pavel Machek (May 25)
- Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator David Howe (May 28)
- Re: Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator Pavel Machek (May 25)