<div>FYI only..</div>
<div> </div>
<div>Onn the same /similar note, David just got cited here wrt to SQL</div>
<div> </div>
<div><a href="http://blogs.zdnet.com/security/?p=663">http://blogs.zdnet.com/security/?p=663</a><br><br></div>
<div class="gmail_quote">On Nov 13, 2007 2:27 PM, David Litchfield <<a href="mailto:davidl@ngssoftware.com">davidl@ngssoftware.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hey all,<br>After investigating 11g the other day I came across an interesting issue.<br>During the installation of Oracle 11g and 10g all accounts, including the
<br>SYS and SYSTEM accounts, have their default passwords and only at the end of<br>the install are the passwords changed. This means that there is a window of<br>opportunity for an attacker to log into the database server during the
<br>install process. Depending upon "which" install options you choose<br>determines the size of the window. Full details for those that are<br>interested can be found here:<br><a href="http://www.davidlitchfield.com/blog/archives/00000030.htm" target="_blank">
http://www.davidlitchfield.com/blog/archives/00000030.htm</a> - since I reported<br>this to Oracle on the 3rd of November they've updated their security<br>checklist document:<br><a href="http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database_20071108.pdf" target="_blank">
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_<br>db_database_20071108.pdf</a><br>Cheers,<br>David Litchfield<br><br>--<br>E-MAIL DISCLAIMER<br><br>The information contained in this email and any subsequent
<br>correspondence is private, is solely for the intended recipient(s) and<br>may contain confidential or privileged information. For those other than<br>the intended recipient(s), any disclosure, copying, distribution, or any
<br>other action taken, or omitted to be taken, in reliance on such<br>information is prohibited and may be unlawful. If you are not the<br>intended recipient and have received this message in error, please<br>inform the sender and delete this mail and any attachments.
<br><br>The views expressed in this email do not necessarily reflect NGS policy.<br>NGS accepts no liability or responsibility for any onward transmission<br>or use of emails and attachments having left the NGS domain.<br>
<br>NGS and NGSSoftware are trading names of Next Generation Security<br>Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1<br>4BF with Company Number 04225835 and VAT Number 783096402<br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>