DerScanner
Home / Vulnerability Database / PL or SQL : Default account
PL/SQL

PL or SQL : Default account

Classification

OWASP Top 10 2013
A5-Security Misconfiguration
OWASP Top 10 2017
A2-Broken AuthenticationA6-Security Misconfiguration
OWASP Top 10 2021
A7-Identification and Authentication FailuresA5-Security Misconfiguration
OWASP ASVS
Authentication
PCI DSS 4.0
2.2.2
HIPAA
§164.312 (a)(1)§164.312 (a)(2)(i)
CWE
CWE-1031

Overview

The application uses a string whose value corresponds to username or password of a default account. Default accounts with high privileges present one of the highest risks to the database.

Some of the predefined account (password is the same as username): SYSTEM, SYS, SYSMAN, SCOTT, DBSNMP, MGMT_VIEW.

References

  1. Top 10 Oracle Steps to a Secure Oracle Database Server - Chris Stark / opensecurityresearch.com
  2. Best Practices for Oracle Databases - red-database-security.com (txt)
  3. Basic Security Measures for Oracle - oracle-base.com
  4. Database Real Application Security Administrator’s and Developer’s Guide - docs.oracle.com
  5. OWASP Top 10 2017 A2-Broken Authentication
  6. OWASP Top 10 2017-A6-Security Misconfiguration
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
MEDIUM

DerScanner Severity Score

Do you want to fix PL or SQL : Default account in your application?

See also

PL/SQL

PL or SQL : Open redirect

PL/SQL

PL or SQL : Cross-site scripting (XSS)

PL/SQL

PL or SQL : Weak hashing algorithm