COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle EE 8.0.3

PROBLEM

    James  Kivisild  found  following.   He  recently installed Oracle
    8.0.3 Enterprise Edition on an NT 4.0 Workstation and he noticed a
    particular  feature  within  Oracle  Database  Assistant v1.0 that
    might be  of some  interest/concern.   During the  creation of  an
    Oracle database, the Database  Assistant lets you create  either a
    custom  or  typical(default)  database.   If  you  select "custom"
    database,  you  must  enter  a  master  password that controls the
    administrative features in the database.  If you select "typical",
    this password defaults to 'oracle'.   As the database is  created,
    the Server Manager reports all activities to a log file.  This log
    file,  "\orant\database\spoolmain.log",  even   logs  the   master
    password as it connects to the server to continue the setup.   The
    entry is as follows:

        Echo                            ON
        SVRMGR> connect INTERNAL/MYPASSWORD
        Connected.

    Not  only  is  this  password  in  plaintext,  but  the  file  has
    permissions that enable anyone to  view it. (owned by Admins,  but
    full control  for everyone).   The log  does get  overwritten each
    time  you  create  a  new  database,  however that just limits the
    number of plaintext passwords to one.

SOLUTION

    Nothing yet.