Bugtraq mailing list archives
Re: Potential Vulnerabilities in Oracle Internet Application Server
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 26 Dec 2000 21:42:14 +0100
On Sat, 23 Dec 2000, Rajiv Sinha wrote:
For modplsql in iAS, a second solution is to disable access to URLs which match certain criteria. For example, in the case of SYS, OWA, and DBMS this may be done by adding the following rules to the plsql.conf file: /.../ Note also that the plsql.conf file can be configured to include rules which prevent access to URLs containing specific SQL statements such as select, insert, grant, etc., keeping in mind that rules are case sensitive.
This fix is broken by design: http://server/pls/somedad/%0aselect... ...and so on. You should disallow *everything* except known procedure names you really *want* to be called from outside world, and disallow *any* suspected special characters (spaces, tabs, cr/lfs and possibly others). -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Potential Vulnerabilities in Oracle Internet Application Server Rajiv Sinha (Dec 26)
- Re: Potential Vulnerabilities in Oracle Internet Application Server Michal Zalewski (Dec 27)