Re: Potential Vulnerabilities in Oracle Internet Application Server

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Sat, 23 Dec 2000, Rajiv Sinha wrote:

> For modplsql in iAS, a second solution is to disable access to URLs
> which match certain criteria.  For example, in the case of SYS, OWA,
> and DBMS this may be done by adding the following rules to the
> plsql.conf file:
> /.../
> Note also that the plsql.conf file can be configured to include rules
> which prevent access to URLs containing specific SQL statements such as
> select, insert, grant, etc., keeping in mind that rules are case
> sensitive.

This fix is broken by design:

http://server/pls/somedad/%0aselect...

...and so on. You should disallow *everything* except known procedure
names you really *want* to be called from outside world, and disallow
*any* suspected special characters (spaces, tabs, cr/lfs and possibly
others).

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=