Thanks very much for the replies, Francesco your details of a "hack" are exactly the sort of thing I am intersted in for a paper about BAAN / Oracle.
I have a huge amount of info about Oracle security specifically (and a lot of it most probably applies to BAAN installations as well BUT it is the BAAN spcifics that need to be addressed.
It sounds like from what Patvdv says that there is little recorded about BAAN / Oracle security and that a lot of people install BAAN on top of a default Oracle install without changing anything much (surely not true!!).
Bear in mind BAAN is new to me, my area is Oracle so some of what I can offer initially might not be totally relevant. Links to all of these items are on my site at http://www.petefinnigan.com/orasec.htm.
o - The first and most obvious way into an Oracle database is to use one of the default accounts with known default passwords. I wrote a paper for a previous employer that included a default password list. There is a slightly longer password list included with the code for my book "Oracle security step-by-step" published by SANS.
o - The next step would be to run th simple scanner that is included with the paper I wrote for securityfocus.com, as I said there is a link to this paper on the URL above, its called "A simple Oracle security scanner". This checks for about 10 common issues.
o - There are a couple of links to check lists produced by Oracle themselves, one for Oracle 9i and 9iR2, they are called "A security checklist for Oracle 9i" and "A security checklist for Oracle 9ir2". Most of what is said applies to Oracle 8 and 8i as well.
o - There are some very good papers on http://www.integrigy.com/resources.htm
including an excellent one about securing the Oracle listener. I will be adding links to these shortly to my site.
o - I did a recent paper for securityfocus.com called "An introduction to simple Oracle auditing" that has some SQL to check for some basic abuses such as trying to log on with none existant users 9an indication of hacking), users sharing database accounts and so on. Link in usual place.
There are three books dedicated to Oracle security,
o - "Oracle security step-by-step" by pete Finnigan - see http://store.sans.org
- as it says a step by step guide to check for hundreds of configuration and set up issues and vulnerabilities. Its a hands on checklist cookbook.
o - Oracle security - Marlene Therioult - Bill henny - O'Reilly - Good book, based around theory but some practical, bit dated now.
o - Oracle security handbook - Marlene again and Aaron Newman - Oracle press - good book, more up to date again quite a lot of theory.
There is also a chapter in the new special ops book by erik pace berkholtz et al.
I hope this is a good appetizer, as I said I would be interested to hear more from you guys about BAAN specific security issues on Oracle and what standard Oracle stuff works for BAAN. Like Francescos item above - but more importanly the fixes to stop these being used.