Bugtraq mailing list archives
Re: Workaround for unpatched Oracle PLSQL Gateway flaw
From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 8 Feb 2006 19:48:32 -0000
So, like, what about http://www.integrigy.com/info/IntegrigySecurityAnalysis-MODPLSQLVuln.pdf
This provides an excellent analysis of the problem. Further, it discusses the recommendation made by Vladimir Zakharychev from Webrecruiter. This recommendation is to set the "always_describe" / "PlsqlAlwaysDescribeProcedure" to "yes" / "on" in the "wdbsvr.app" / "dads.conf" file. This is a simple workaround and, as I can confirm, it does prevent exploitation. Why on earth didn't Oracle make this simple recommendation in the January 2006 CPU?
I hereby withdraw my workaround and would encourage everyone to adopt Vladimir's.
Cheers, David Litchfield
Current thread:
- Re: Workaround for unpatched Oracle PLSQL Gateway flaw x (Feb 01)
- More on the workaround for the unpatched Oracle PLSQL Gateway flaw David Litchfield (Feb 02)
- Re: Workaround for unpatched Oracle PLSQL Gateway flaw ad () heapoverflow com (Feb 04)
- <Possible follow-ups>
- Re: Workaround for unpatched Oracle PLSQL Gateway flaw a (Feb 08)
- Re: Workaround for unpatched Oracle PLSQL Gateway flaw David Litchfield (Feb 08)