Bugtraq mailing list archives

Oracle Web Listener

From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Thu, 25 Nov 1999 21:45:35 -0000


There is a problem (seems to be a bug) with Oracle Web Listener where a
resource can be accessed when is shouldn't be able to be accessed:

Consider the following setup:
Access to  http://host/ows-bin/owa/thenormal.app _is_ allowed.

However access to the owa_util package in the same dir is not allowed so
requesting http://host/ows-bin/owa/owa_util.signature causes the Oracle Web
Listener to throw back an HTTP 401 response ie it requires a user id and
password. However by making a request and substituting the _ with %5f (eg.
http://host/ows-bin/owa/owa%5futil.signature)  we're granted access. Or
using %2e instead of the dot (eg.
http://host/ows-bin/owa/owa_util%2esignature ) does the same: we're given
access, then too.

On sites that protect access to owa_util using this method will be at great
risk from queries using showsource, cellsprint, tableprint and listprint.

Version Oracle_Web_listener2.1/1.20in2 on Solaris was tested. More recent
and earlier versions may also be affected but that's not known yet. Anybody
with access to such versions it - could you check?

TIA
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/
Cerberus Information Security

Current thread:

[w00giving '99 #5 and w00news]: UnixWare 7's su, (continued)
- - - [w00giving '99 #5 and w00news]: UnixWare 7's su Matt Conover (Nov 25)
    - Buffer Overflow Survey Paper Crispin Cowan (Nov 22)
    - Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Crispin Cowan (Nov 23)
    - [ COBALT ] Security Advisory - Sendmail Jeff Bilicki (Nov 24)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Scott Zimmerman (Nov 24)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Simple Nomad (Nov 24)
    - Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)
    - Re: Netscape communicator 4.x Javascript security flaw Metal Hurlant (Nov 26)
    - Re: Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 26)
    - Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
    - Oracle Web Listener Mnemonix (Nov 25)
    - [w00giving '99 #6]: UnixWare 7's Xsco Matt Conover (Nov 25)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Mark Seiden (Nov 24)
    - Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 24)
    - BindView Security Advisory: SSR Denial of Service BindView Security Advisory (Nov 24)
    - Re: BindView Security Advisory: SSR Denial of Service Alan Cox (Nov 24)
    - Oracle 8i questions Brock Tellier (Nov 23)
    - Printer Vulnerabilities (Tektronix and JetDirect) Elias Levy (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogd advisory) Darren Reed (Nov 20)
    - Re: local users can panic linux kernel (was: SuSE syslogd advisory) Cy Schubert - ITSD Open Systems Group (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Jefferson Ogata (Nov 23)

(Thread continues...)