Correction - Oracle Apache+WebDB info leakege

["Leandro Malaquias" <wazup () brnet com br>]

While I was going through the Oracle Apache+WebDB vulnerability, I found
something else also
interesting, I don't know if anyone has posted this before, but here it goes
any way.

If you reques the following: http://<hostname>:<port>/pls/admin

The following info is displayed:

Sun, 3 Feb 2002 19:57:12 GMT

No DAD configuration Found
  DAD name:
  PROCEDURE  :
  URL        : http://<hostname>:<port>/pls/admin
  PARAMETERS :
  ===========

  ENVIRONMENT:
  ============
    PLSQL_GATEWAY=WebDb
    GATEWAY_IVERSION=2
    SERVER_SOFTWARE=Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_perl/1.22
    GATEWAY_INTERFACE=CGI/1.1
    SERVER_PORT= <port number>
    SERVER_NAME= <hostname>
    REQUEST_METHOD=GET
    QUERY_STRING=
    PATH_INFO=/admin
    SCRIPT_NAME=/pls
    REMOTE_HOST=
    REMOTE_ADDR= <My IP>
    SERVER_PROTOCOL=HTTP/1.1
    REQUEST_PROTOCOL=HTTP
    REMOTE_USER=
    HTTP_CONTENT_LENGTH=
    HTTP_CONTENT_TYPE=
    HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
    HTTP_HOST=<hostname:<port>
    HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-quickviewplus, */*
    HTTP_ACCEPT_ENCODING=gzip, deflate
    HTTP_ACCEPT_LANGUAGE=en-us
    HTTP_ACCEPT_CHARSET=
    HTTP_COOKIE=
    Authorization=
    HTTP_IF_MODIFIED_SINCE=


Peace,

           Leandro Malaquias
Consultor de Segurança em Redes
    Network Security Consultant