FYI only.. Onn the same /similar note, David just got cited here wrt to SQL
http://blogs.zdnet.com/security/?p=663 On Nov 13, 2007 2:27 PM, David Litchfield <[EMAIL PROTECTED]> wrote: > Hey all, > After investigating 11g the other day I came across an interesting issue. > During the installation of Oracle 11g and 10g all accounts, including the > SYS and SYSTEM accounts, have their default passwords and only at the end > of > the install are the passwords changed. This means that there is a window > of > opportunity for an attacker to log into the database server during the > install process. Depending upon "which" install options you choose > determines the size of the window. Full details for those that are > interested can be found here: > http://www.davidlitchfield.com/blog/archives/00000030.htm - since I > reported > this to Oracle on the 3rd of November they've updated their security > checklist document: > > http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_ > db_database_20071108.pdf > Cheers, > David Litchfield > > -- > E-MAIL DISCLAIMER > > The information contained in this email and any subsequent > correspondence is private, is solely for the intended recipient(s) and > may contain confidential or privileged information. For those other than > the intended recipient(s), any disclosure, copying, distribution, or any > other action taken, or omitted to be taken, in reliance on such > information is prohibited and may be unlawful. If you are not the > intended recipient and have received this message in error, please > inform the sender and delete this mail and any attachments. > > The views expressed in this email do not necessarily reflect NGS policy. > NGS accepts no liability or responsibility for any onward transmission > or use of emails and attachments having left the NGS domain. > > NGS and NGSSoftware are trading names of Next Generation Security > Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 > 4BF with Company Number 04225835 and VAT Number 783096402 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
