This really increases my faith in the continuing push towards electronic medical records. /sarcasm
--Rohit Patnaik On Mon, Oct 19, 2009 at 10:33 AM, Shawn Merdinger <[email protected]>wrote: > Great find! > > And should we _really be surprised_ at the following bounce? > > <snip> > > Delivery to the following recipient failed permanently: > > [email protected] > > Technical details of permanent failure: > Google tried to deliver your message, but it was rejected by the > recipient domain. We recommend contacting the other email provider for > further information about the cause of this error. The error that the > other server returned was: 550 550 Mailbox unavailable or access > denied - <[email protected]> (state 17). > > </snip> > > Cheers, > --scm > > > On Sun, Oct 18, 2009 at 1:39 AM, Derek Lewis <[email protected]> wrote: > > Subject: McKesson Horizon Clinical Infrastructure (HCI) version > > 7.6/7.8/10.0/10.1 hardcoded passwords > > > > McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, > > utilizes hardcoded passwords > > for Oracle database access. HCI serves as the patient record datastore > for > > the majority of McKesson applications. There are two components to an HCI > > implementation: the Infrastructure (or Master) server > > and the database back-end. The HCI Infrastructure Server has an Oracle > > client installed that initializes > > OCI/sqlplus connections to the Oracle database back-end. A file on each > HCI > > Infrastructure server > > contains the database account usernames and their respective passwords, > > /usr/local/bin/password. Content from /usr/local/bin/password is shown: > > > > # cat /usr/local/bin/password > > AMBU:hacschema > > QUEUE_USER:qmanager > > SYS:alLp0ver2 > > SYSTEM:urA7mvP > > CHANGEMGR:datacontrol > > CCDEV:ccdev > > CCDBA:ccnulls *HAS ORACLE SYSDBA PRIVS* > > CCDATA:ccdata > > CCFORMS:ccforms > > CCINTERFACE:ccinterface > > MCKHEO:mckheo > > CCREL:ccrel > > CCQUERY:ccquery > > CDXWEB:winplu5 > > DRUG1:fdb3schema > > DRUG2:fdb3schema > > enc_ent:encent > > ENT:entpazz > > ENT_CONFIG:ent_configpazz > > ADF:adfpazz > > INF:infpazz > > INF_CONFIG:inf_configpazz > > SDM:sdmpazz > > STRMADM:pazzw0rd > > ENT_AUD:pazzw0rd > > ENT_ARCH:pazzw0rd > > POC_ARCH:pazzw0rd > > POC_AQ:qmanager > > INF_AQ:qmanager > > DATAMGR:datamgr > > CCUSER:bueno > > ALERTS:monitorhca > > HCALERTS:alertsuser > > AM:ampazz > > AM_AUD:pazzw0rd > > AUD:audpazz > > TMF:tmfpazz > > MN:mnpazz > > EH:ehpazz > > NG:ngpazz > > DM:dmpazz > > DMTOOL:dmtoolpazz > > STG_DMT:stg_dmtpazz > > WRL:wrlpazz > > NOTES:notespazz > > REPORTS:reportspazz > > ICONS:iconspazz > > BS:bspazz > > QZ:qzpazz > > RM:rmpazz > > RM_AUD:pazzw0rd > > COMMGR:commgrpazz > > OPSERVICE:opservicepazz > > SEC_CONFIG:sec_configpazz > > CTXSYS:ctxsyspazz > > OLOGY:ologypazz > > OLOGY_CONFIG:ology_configpazz > > DOC:docpazz > > DOC_CONFIG:doc_configpazz > > PORTAL:portal > > PORTAL_INSTALL:portal_install > > EBIDBADMIN:ebidbadmin > > DESIGN_OWNER:owb > > OWB_RUNTIME_REPOSITORY:owb > > RUNTIME_A_USER:owb > > > > Despite having a "central" password file that contains the credential > > information, much of the credentials > > are hardcoded throughout binaries and scripts that are shipped as part of > > the HCI Infrastructure server. > > > > # cd /u/live > > # find . -type f -print | xargs grep ccnull | wc -l > > 85 > > > > Here is some context of how the credentials are used throughout the HCI > > code: > > > > # find . -type f -print | xargs grep ccnull > > ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << > EOF > > ./all_ord:LOGIN=ccdba/ccnulls > > ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE" > > ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE" > > ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG > > ./bin/Make_iv_template:ORD_SEQ=`sqlplus -S > ccdba/ccnulls$DB_SPEC_IF_REMOTE > > <<- ENDSQL > > > > McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of > hardcoded > > passwords implies > > that for every customer that has purchased HCI, the credentials for all > of > > these role accounts are the same across the installations. > > > > According to the following press release, > > http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, > McKesson > > software is installed in 70% of hospitals within the US. HCI serves as > the > > core infrastructure > > component of other McKesson applications such as Horizon Lab, Horizon > > Patient Folder, Horizon CareLink, > > Horizon Expert Documentation, etc. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
