Bugtraq mailing list archives
Re: Oracle WebDb engine brain-damagse
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Thu, 21 Dec 2000 01:04:01 +0100
I would like to explain some issues related to this bugreport. I've received some critical responses, and some people missed the point of this advisory: First of all, there were TWO separate bugs reported - IAS bug allowing attacker to inject PL/SQL queries and/or other code within external HTTP query and WebDB bug allowing unauthorized proxy reconfiguration attempts (the second problem is common in WebDB+Apache configurations): * The risk related to first problem depends on privledges on which PL/SQL query is processed; in multi-user, structural systems where privledges are strictly controlled, the impact is less damaging (eg. if this user can't access any tables, create any objects, and can call public procedures in secure *only*). This means on most installations, the problem persists and is real. * The second problem has really huge security impact on almost every system (including these listed as examples, e.g. www.oracle.com) which is using Apache integrated with WebDB interface (no information about other systems). The second issue I would like to bring here are some legal / ethical problems: * I've tried to provide useful information, which can be verified easily and can be used to defend against attacks; this approach has some costs: for example, I *HAD* to provide examples proving the problem exists (I haven't provided any complete break-in example, but referred an examples how to check if you are vulnerable and proofs that numerous sites are affected, including vendor's site); I believe I haven't provided any information smart attacker couldn't collect or find on his own having enough time. Unfortunately, most of us - system administrators - have not so much time as blackhats for investigating such issues. Effectively, I've made administrators' task much easier. If you believe providing incomplete / useless information would be better, I wouldn't agree. * Vendor notification: I am not working for Oracle and I can't find any reason to provide them confidential security audits for free, giving them enough time to fix the problem silently. That's why I've decided to disclose this information about observed functionality, not violating copyrights or other laws, as a result of my experiments based on publicly available knowledge and techniques. On the other hand, I would like to minimize eventual damage caused to Oracle clients, that's obvious. That's why I've choosen this form of publication - informative to both sides, but - instead of CERT-alike advisories - giving administrators better chances - because they have all the information required for eventual testing and fix, while blackhats do not have an exploit or all knowledge required to write it. Sorry, that's my point of view. Thank you, -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- <Possible follow-ups>
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- Re: Oracle WebDb engine brain-damagse McAllister, Andrew (Dec 20)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse sporty o'one (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Kuznetsov, Vasily (Dec 21)