Bugtraq mailing list archives
Re: Oracle Web Listener
From: steve.posick () ESPN COM (Posick, Steve)
Date: Mon, 29 Nov 1999 09:36:25 -0500
We've addressed this problem by creating 2 accounts 1 that owns the
procedures to be executed (www_user) and 1 that is called by the listener
(www_connect). www_connect is only granted execute rights on the procedure
and packages it needs to execute. Since Oracle Stored procedure execute as
their owner, they will be able to access all the resources they need and
while the www_connect account will be limited to only what was explicitly
granted to it.
-----Original Message-----
From: Mnemonix [mailto:mnemonix () GLOBALNET CO UK]
Sent: Thursday, November 25, 1999 4:46 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Oracle Web Listener
There is a problem (seems to be a bug) with Oracle Web
Listener where a
resource can be accessed when is shouldn't be able to be
accessed:
Consider the following setup:
Access to http://host/ows-bin/owa/thenormal.app _is_
allowed.
However access to the owa_util package in the same dir is
not allowed so
requesting http://host/ows-bin/owa/owa_util.signature causes
the Oracle Web
Listener to throw back an HTTP 401 response ie it requires a
user id and
password. However by making a request and substituting the _
with %5f (eg.
http://host/ows-bin/owa/owa%5futil.signature) we're granted
access. Or
using %2e instead of the dot (eg.
http://host/ows-bin/owa/owa_util%2esignature ) does the
same: we're given
access, then too.
On sites that protect access to owa_util using this method
will be at great
risk from queries using showsource, cellsprint, tableprint
and listprint.
Version Oracle_Web_listener2.1/1.20in2 on Solaris was
tested. More recent
and earlier versions may also be affected but that's not
known yet. Anybody
with access to such versions it - could you check?
TIA
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/
Cerberus Information Security
Current thread:
- Re: Oracle Web Listener Posick, Steve (Nov 29)