Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Oracle Application Server 10g question

From: "Lee Lawson" <leejlawson () gmail com>
Date: Wed, 14 Mar 2007 10:08:12 +0000
Hi all,

I am conducting a pen test of a web application built on Oracle
Application Server 10g.  Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.

Consider the following URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL

This is the home page.  If I replace the _pageid= value with a single
quote, I am presented with the following error on the web page.
Error: ORA-06502: PL/SQL: numeric or value error: character to number
conversion error

So a potential SQL injection point, but I cannot get anything to work
with it!  Within the source code of the page however, is the output
from what I believe is the PLVtrc function which traces the call stack
of the PL/SQL runtime engine.

<!-- ----- PL/SQL Call Stack -----
 object      line  object
 handle    number  name
430150638       601  package body PROTOCOL.WWERR_API_ERROR_UI
430150638       499  package body PROTOCOL.WWERR_API_ERROR_UI
430150638       445  package body PROTOCOL.WWERR_API_ERROR_UI
42d0aba28      3089  package body PROTOCOL.WWPOB_PAGE
42d82ed78        30  anonymous block
-->

My question is this...What value is this to an attacker?  I can put
into the report all the vague recommendations that it could be used
gain potentially sensitive information about the target and may be
used to mount a buffer overflow attack, but what real value does it
have?

Anyone seen it before?  What did you recommend and why?

I believe it can be eradicated by disabling the PLVtrc function, or at
the very least, redirecting the output of PLVtrc to a log file and not
to the web page.

Any thoughts?

Thanks,

--
Lee J Lawson
leejlawson () gmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: