| VID |
25006 |
| Severity |
40 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
When an Oracle database is created, accounts are created in the database for administrative and operational purposes. The default passwords for these accounts are widely known, so it is a substantial security risk to leave the default passwords in place. The most common and potentially dangerous of these accounts are SYS and SYSTEM. These accounts has "full" DBA privileges.
* Note: This check by default checks for the following account ID and password combinations:
system/manager,sys/mgr,sys/change_on_install,ctxsys/ctxsys,odscommon/odscommon
* References:
http://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
http://www.vulnerabilityassessment.co.uk/default_oracle_passwords.htm |
| Recommendation |
Change the user's password to be something other than the default password immediately.
To change the password of a user, you have to log in the Oracle server with the user name using 'sqlplus' command, and execute the command to change password is like this:
alter user "sys" identified by "mysecretpwd";
The command as above change the password for user "sys" as "mysecretpwd". |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
