Bugtraq mailing list archives
Vulnerabilities in Oracle WebDB (fwd)
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 26 Dec 2000 19:56:18 +0100
Here is the message from Oracle Security team regarding the vulnerabilities I've published (hope they don't mind if I publish it, doesn't look confidential): --- From: Secalert <secalert_us () oracle com> Subject: Vulnerabilities in Oracle WebDB Dear Michal, Thank you for bringing to Oracle and its user community's attention the vulnerabilities in Oracle WebDB. Please be assured that workarounds/fixes for these problems are available. We will post details on BUGTRAQ very soon. Best regards, -Oracle Security Products --- In the meantime, I've found Oracle secured their website (it took something around two days after my publication, not bad). That's right - it is no longer possible to do, for example: http://www.oracle.com/pls/oracle8i/select%09something... Nice, isn't it? As they said fixes are already available, I assumed it is final solution. But wait... First of all, a few words from the author ;) Not really wanting to be malicious, I decided to publish it right now, allowing Oracle people to prepare good, working patches, instead of releasing bogus workarounds (as opposed to "malicious" behaviour: keeping this information private util they will release their patches, and publishing it then). Right. You can blame me, but that's my way. Hmm, what I was talking about? Aaah... (caps lock on): IT IS STILL POSSIBLE TO DO SOMETHING LIKE: http://www.oracle.com/pls/oracle8i/%0aselect%09something... ...sorry for the example, I am sending it to Oracle secalert before publication. Of course, as someone pointed out, you can use for example owa_util package (owa_util.showsource might be useful), not only abusing plain PL/SQL queries. Nasty and tasty. I wouldn't comment it. If you were vulnerable, you are still vulnerable. Hey, Oracle Security, wouldn't it be more sane checking for known procedure names, preferably rejecting all internals / standard procedures, instead of blindly passing (almost) anything to PL/SQL interpreter and putting some bogus checks here? And to disallow control characters in the URL? Remember - according to your website - we are talking about the software used by nine out of ten biggest corporations, aren't we? When I started playing with WebDB, spaces were disallowed. I used tabs (%09) to bypass it. So you have apparently disallowed some known keywords in queries. I've used %0a to fool this check. Want to play more? -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Vulnerabilities in Oracle WebDB (fwd) Michal Zalewski (Dec 27)