Title: Oracle ADI Plain Text Password Storage Vulnerability
Severity: MODERATE
Description:
Oracle Application Desktop Integrator (ADI) is part of the Oracle Financial Applications. ADI is a software package designed to allow desktop users to manipulate the database from a personal computer.
A problem in the software package has been discovered that could allow the recovery of passwords. The problem occurs on the system in which the software has been installed, normally a desktop system using a Microsoft Windows Operating System.
Under normal operations, the software contacts the database remotely, using a known username and password, and retrieves the APPS Schema and encrypted password for the APPS Schema. This password is then decrypted locally on the system, and used for authentication to provide the user of the software package access to the database.
The password is normally stored in system memory, which while retrievable, is not as easily retrieved as a plain text file. Code in the fndpublli.dll library places the decrypted password in a plain text file with the name dbg.txt.
This vulnerability additionally affects software that uses the net8 client and a vulnerable version of the fndpub11i.dll library.
Affected Products:
- Oracle Application Desktop Integrator 7.1.1.10.1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
