Rule ID
SV-221471r961863_rule
Version
V2R3
CCIs
OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database name. To keep the password from an attacker, the password must not be stored in plain text, but instead, obfuscated.
1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., dads.conf) included in it with an editor. 2. Search for the "PlsqlDatabasePassword" directive. 3. If the directive is set in clear text, this is a finding.
1. At shell prompt, set "ORACLE_HOME" environment variable to $ORACLE_HOME location and export the variable. 2. At shell prompt, set "PATH" environment variable to "$ORACLE_HOME/ohs/bin:$ORACLE_HOME/bin:$ORACLE_HOME/perl/bin:$PATH" and export the variable. 3a. If AIX OS, at shell prompt, set "LIBPATH" environment variable to "$ORACLE_HOME/lib:$LIBPATH" and export the variable. 3b. If HP-UX OS, at shell prompt, set "SHLIB_PATH" environment variable to "$ORACLE_HOME/lib:$SHLIB_PATH" and export the variable. 3c. If Solaris OS, at shell prompt, set "LD_LIBRARY_PATH" environment variable to "$ORACLE_HOME/lib32:$LD_LIBRARY_PATH" and export the variable. 3d. If Linux or Other Unix OS, at shell prompt, set "LD_LIBRARY_PATH" environment variable to "$ORACLE_HOME/lib:$LD_LIBRARY_PATH" and export the variable. 4. Change the present working directory to "$ORACLE_HOME/ohs/bin" (e.g., cd $ORACLE_HOME/ohs/bin). 5. For each .conf file found to be at fault, execute dadTool.pl script (e.g., "perl dadTool.pl -f $DOMAIN_HOME/config/fmwconfig/compoennts/OHS/<componentName>/mod_plsql/dads.conf").