tag:blogger.com,1999:blog-29303648.post116582993234561312..comments2024-03-23T11:11:22.744+01:00Comments on Johan Louwers - Tech blog: Oracle Applications Passwords Decryption Vulnerability.Johan Louwershttp://www.blogger.com/profile/15736509702253963299noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-29303648.post-46280984203607737742010-12-01T21:31:07.023+01:002010-12-01T21:31:07.023+01:00Wow,
This is really great.. the steps are so good...Wow, <br />This is really great.. the steps are so good even a novice can understand with ease.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-29303648.post-989856550477754792009-10-10T22:57:55.589+02:002009-10-10T22:57:55.589+02:00Hi johan,
A clear and precise explanation of the ...Hi johan,<br /><br />A clear and precise explanation of the encryption and decryption process in Oracle Ebusiness Suite..<br /><br />Oracle has provided a fix for this though..to store hash passwords in fnd_users. Check FNDCPASS Utility New Feature: Enhance Security With Non-Reversible Hash Password - Doc ID: 457166.1 in metalink.Mohamed Sahal Thalakkatnoreply@blogger.comtag:blogger.com,1999:blog-29303648.post-40539136517311082532009-08-17T17:27:17.515+02:002009-08-17T17:27:17.515+02:00Well, I tried to tell them they should fix it. I e...Well, I tried to tell them they should fix it. I even contacted CERT for it however Oracle is stating that you need such a high security level in the system to be able to do so that they not consider it a really really important bug...... sigh!! I also do not get it why they did not create a emergency bugfix for it....?Johan Louwershttps://www.blogger.com/profile/15736509702253963299noreply@blogger.comtag:blogger.com,1999:blog-29303648.post-74286587783796343442009-08-14T10:29:35.931+02:002009-08-14T10:29:35.931+02:00This is already 3 years old post but until now, i...This is already 3 years old post but until now, it is still working on Oracle EBS.<br /><br />Why Oracle not acting on this one?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-29303648.post-31184589154317491782009-06-23T05:09:39.726+02:002009-06-23T05:09:39.726+02:00This is great.
Shame on oracle.
by the way you d...This is great.<br /><br />Shame on oracle.<br /><br />by the way you don't need to change tha package to access decrypt function.<br /><br />you can define your own decrypt function like this<br /><br /><br />create or replace<br />function XX_decrypt(key in varchar2, value in varchar2)<br /> return varchar2<br /> as language java name 'Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-29303648.post-87531105273304135222009-01-29T21:19:00.000+01:002009-01-29T21:19:00.000+01:00You did some genius work on this.Clear understandi...You did some genius work on this.<BR/><BR/>Clear understanding of the problem.<BR/>Clear explanation of what is going.<BR/>Clear demonstration of how this actually work.<BR/><BR/>Wow.<BR/><BR/>I have not looked at the rest of your blog, but I'll be checking it out.<BR/><BR/>SteveAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-29303648.post-18510248707222926242009-01-13T20:30:00.000+01:002009-01-13T20:30:00.000+01:00Hi Johan,It's happend to see your article, it's ve...Hi Johan,<BR/><BR/>It's happend to see your article, it's very informative. Thanks for that. <BR/><BR/>As you said to change and compile the package FND_WEB_SEC we need to have apps schema password. <BR/><BR/>Can you let me kno how can we get the passwords if we does not know APPS schema password.<BR/><BR/>Thanks<BR/>SriniUnknownhttps://www.blogger.com/profile/11689082956603736912noreply@blogger.comtag:blogger.com,1999:blog-29303648.post-64384721600280136742008-06-03T21:34:00.000+02:002008-06-03T21:34:00.000+02:00Hi,you say users where unable to login after the m...Hi,<BR/>you say users where unable to login after the modification to the package? Did the restart of apache solved the problem or did you have the undo your change? I have used this now on several instances and never have had this problem. <BR/><BR/>Can you explain us what went wrong and how you coded around it. Can you also provide the version of E-business suite and your database so we can Johan Louwershttps://www.blogger.com/profile/15736509702253963299noreply@blogger.comtag:blogger.com,1999:blog-29303648.post-20152506835091910592008-06-03T04:35:00.000+02:002008-06-03T04:35:00.000+02:00Things to caution.I have try the method, it works....Things to caution.<BR/>I have try the method, it works.<BR/>However, after I modified the package. It make user cannot login. And I need to restart the apache server.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-29303648.post-48364889805796056852008-05-01T02:12:00.000+02:002008-05-01T02:12:00.000+02:00Wow...an eye opening article.Thank you so much Tus...Wow...an eye opening article.<BR/>Thank you so much <BR/>TusharAnonymousnoreply@blogger.com