[Full-disclosure] Workaround for unpatched Oracle PLSQL Gateway flaw



There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS
and the Oracle HTTP Server, that allows attackers to bypass the
PLSQLExclusion list and gain access to "excluded" packages and procedures.
This can be exploited by an attacker to gain full DBA control of the backend
database server through the web server.

This flaw was reported to Oracle on the 26th of October 2005. On November
the 7th NGS alerted NISCC (http://www.niscc.gov.uk) to the problem. It was
hoped that due to the severity of the problem that Oracle would release a
fix or a workaround for this in the January 2006 Critical Patch Update. They
failed to do so.

The workaround is trivial; using mod_rewrite, which is compiled into
Oracle's Apache distribution it is possible to stop the attack. The
workaround checks a user's web request for the presence of a right facing
bracket, ')'.

Add the following four lines to your http.conf file then stop and restart
the web server

RewriteEngine  on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

I don't think leaving their customers vulnerable for another 3 months (or
perhaps even longer) until the next CPU is reasonable especially when this
bug is so easy to fix and easy to workaround. Again, I urge all Oracle
customers to get on the 'phone to Oracle and demand the respect you paid
for.

Cheers,
David Litchfield


_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Workaround for unpatched Oracle PLSQL Gateway flaw
    ... There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS and the Oracle HTTP Server, that allows attackers to bypass the PLSQLExclusion list and gain access to "excluded" packages and procedures. ... RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack ...
    (Bugtraq)
  • [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were discovered in the (Oracle database server ... password is required to exploit this vulnerability. ...
    (Securiteam)
  • Re: How to make your report run faster
    ... I've done no work with Oracle as the Server DB, ... > if they click the listbox then "Preview report" button is enabled. ... > -I was try to make the old queries for subreport, ...
    (microsoft.public.access.reports)
  • Re: I cant find a SETUP.EXE in the SQL Plus Client ??
    ... someone else's server for testing some SELECT statements I'm ... free client because I don't own the Oracle license. ... SQL statements. ... There is no documentation with that download. ...
    (comp.databases.oracle.tools)
  • RE: sunmanagers Digest, Vol 44, Issue 20
    ... diagnostics from the front-panel. ... Any ideas on what the problem may be or how to get this server powered ... The cluster itself is working, but I'm unable to shut down the nodes. ... Oracle uses shared memory for the communication between the client ...
    (SunManagers)