lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jan 2006 18:25:07 -0000 From: "David Litchfield" <davidl@...software.com> To: <bugtraq@...urityfocus.com>, <dbsec@...elists.org> Subject: Workaround for unpatched Oracle PLSQL Gateway flaw There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS and the Oracle HTTP Server, that allows attackers to bypass the PLSQLExclusion list and gain access to "excluded" packages and procedures. This can be exploited by an attacker to gain full DBA control of the backend database server through the web server. This flaw was reported to Oracle on the 26th of October 2005. On November the 7th NGS alerted NISCC (http://www.niscc.gov.uk) to the problem. It was hoped that due to the severity of the problem that Oracle would release a fix or a workaround for this in the January 2006 Critical Patch Update. They failed to do so. The workaround is trivial; using mod_rewrite, which is compiled into Oracle's Apache distribution it is possible to stop the attack. The workaround checks a user's web request for the presence of a right facing bracket, ')'. Add the following four lines to your http.conf file then stop and restart the web server RewriteEngine on RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack I don't think leaving their customers vulnerable for another 3 months (or perhaps even longer) until the next CPU is reasonable especially when this bug is so easy to fix and easy to workaround. Again, I urge all Oracle customers to get on the 'phone to Oracle and demand the respect you paid for. Cheers, David Litchfield
Powered by blists - more mailing lists