WebApp Sec mailing list archives
RE: Oracle External Users
From: "Amichai Shulman" <shulman () imperva com>
Date: Tue, 6 Dec 2005 08:41:49 +0200
AFAK using OS authentication for remote connection to the database in Oracle is highly insecure. There is no mechanism to prevent the abuse of OS authenticated accounts by a remote attacker, if REMOTE_OS_AUTHENTICATION is set to TRUE. Basically the database server relies on the username as embedded in the TNS connect message. The contents of this field can be replaced using simple tools. This issue has been documented long ago. There are other mechanisms that allow an Oracle database server to rely on an external authentication and user management system. Namely, the Enterprise User account type is used for this purpose. Amichai Shulman CTO Imperva, Inc. 12 Hachilazon St. Ramat-Gan Israel Office: 972-3-6120133 (103) Mobile: 972-54-5885083 E-mail: shulman () imperva com ................................ InfoWorld product review gives Imperva the HIGHEST SCORE in Application Security http://imperva.com/go/iw/ -----Original Message----- From: Damien Lewis [mailto:dwlewis () comcast net] Sent: Monday, December 05, 2005 3:08 AM To: webappsec () securityfocus com Subject: Oracle External Users Hello, I'm in the process of reviewing a list of users (DBA_USERS table) from an Oracle Database and have come across several accounts with the PASSWORD field being "EXTERNAL". It is my understanding that these accounts are authenticated by the operating system, but how exactly do you go about authenticating using this account (i.e. could I conect via SQL Plus or an ODBC connection) and is there any other control(s) within Oracle that would prevent any user from creating a user id that matches the account name in DBA_USERS table on another computer and logging in as that user to the Oracle database? Thanks D
Current thread:
- Oracle External Users Damien Lewis (Dec 05)
- Re: Oracle External Users bug (Dec 06)
- <Possible follow-ups>
- RE: Oracle External Users Amichai Shulman (Dec 06)