Webcache Client Requests Bypass OHS mod_access Restrictions

From: Alexander Kornbrust (ak_at_red-database-security.com)
Date: 04/28/05

Next message: Alexander Kornbrust: "File appending vulnerability in Oracle Webcache 9i"

Previous message: Dave Armstrong: "Borland Security Contact"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Apr 2005 17:23:36 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

Red-Database-Security GmbH Research Advisory

Name Webcache Client Requests Bypass OHS mod_access Restrictions
Systems Affected Oracle HTTP Server
Severity Medium Risk
Category Bypass protected URLs via Webcache
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 26 Apr 2005 (V 1.00)
Advisory number AKSEC2003-015

Description
###########
Without the parameter "UseWebcacheIP ON" it is possible to bypass Oracle HTTP Server
mod_access restrictions.

More details available:
#######################

http://www.red-database-security.com/advisory/oracle_webcache_bypass.html

Patch Information
#################
Add the new parameter "UseWebCacheIP ON" to the httpd.conf

History:
########
01 October 2003 Oracle secalert was informed
23 October 2003 Bug confirmed
26 April 2005 Advisory released

About Red-Database-Security GmbH
#################################
Red-Database-Security GmbH is a specialist in Oracle Security.

http://www.red-database-security.com

Next message: Alexander Kornbrust: "File appending vulnerability in Oracle Webcache 9i"

Previous message: Dave Armstrong: "Borland Security Contact"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]