Home / Vulnerability Database / PL or SQL : Default SID value
PL/SQL
PL or SQL : Default SID value
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
PCI DSS 4.0
CWE
Overview
The application uses a string whose value corresponds to one of default values of the site identifier (SID). Adversaries can use default SID values to carry out an attack.
The database instance is identified by SID (System IDentifier). The SID contains alphanumeric characters and is stored in the ORACLE_SID system environment variable. SID uses network utilities to obtain remote access to the database.
Without knowing the SID of the Oracle database, the attacker will not be able to access the database, even if he knows username and password. Knowing the SID of the database, an attacker can, for example, configure database accounts.
Some of the default SID values: ORCL, XE, ASDB, IASDB, OEMREP.
References
- Top 10 Oracle Steps to a Secure Oracle Database Server - Chris Stark / opensecurityresearch.com
- What is a SID, how to change it, how to find out what it is - asktom.oracle.com
- Default SID values - red-database-security.com (txt)
- Best Practices for Oracle Databases - red-database-security.com (txt)
- Basic Security Measures for Oracle - oracle-base.com
- Database Real Application Security Administrator’s and Developer’s Guide - docs.oracle.com
- OWASP Top 10 2017-A6-Security Misconfiguration
- CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
MEDIUM
DerScanner Severity Score
Do you want to fix PL or SQL : Default SID value in your application?
See also
PL/SQL
PL or SQL : Open redirect
PL/SQL
PL or SQL : Cross-site scripting (XSS)
PL/SQL