lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002b01c621dc$ab648090$f6c24a41@ngssoftware.com>
Date: Wed, 25 Jan 2006 18:25:07 -0000
From: "David Litchfield" <davidl@...software.com>
To: <bugtraq@...urityfocus.com>, <dbsec@...elists.org>
Subject: Workaround for unpatched Oracle PLSQL Gateway flaw


There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS 
and the Oracle HTTP Server, that allows attackers to bypass the 
PLSQLExclusion list and gain access to "excluded" packages and procedures. 
This can be exploited by an attacker to gain full DBA control of the backend 
database server through the web server.

This flaw was reported to Oracle on the 26th of October 2005. On November 
the 7th NGS alerted NISCC (http://www.niscc.gov.uk) to the problem. It was 
hoped that due to the severity of the problem that Oracle would release a 
fix or a workaround for this in the January 2006 Critical Patch Update. They 
failed to do so.

The workaround is trivial; using mod_rewrite, which is compiled into 
Oracle's Apache distribution it is possible to stop the attack. The 
workaround checks a user's web request for the presence of a right facing 
bracket, ')'.

Add the following four lines to your http.conf file then stop and restart 
the web server

RewriteEngine  on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

I don't think leaving their customers vulnerable for another 3 months (or 
perhaps even longer) until the next CPU is reasonable especially when this 
bug is so easy to fix and easy to workaround. Again, I urge all Oracle 
customers to get on the 'phone to Oracle and demand the respect you paid 
for.

Cheers,
David Litchfield 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ