- Threat ID
- Threat Date
- Threat Name
- Easily-guessed database username
- CVE Reference
- CCE Reference
- Database Type
- All versions of Oracle
- A database username has been discovered. By modifying the login sequence, an attacker can detect whether an account name exists or not. This allows the attacker to collect a list of valid users by trying a list of common usernames.
- While Oracle does not provide a built-in mechanism for allowing unauthenticated users to enumerate the list of database users, an attacker can generate a list of valid database users by trying a list of names from a dictionary.
While a list of users does not by itself result in a vulnerability, an attacker can use a list of database accounts to mount other attacks. Most sophisticated attackers will start an attack by collecting this type of information.
This check attempts to collect a list of live account names from the database. The collected list of usernames is then used by other checks.
This check determines live account names by trying to login using each word from a specified dictionary file. The default file used is "large-familynames.txt" found in the AppDetective installation directory.
Note that this check can take a while to run if the number of words being tried is excessively large. Depending on the speed of the connection, the number of usernames that can be attempted ranges from several a second to one every several seconds.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.