Penetration Testing mailing list archives
Oracle Application Server 10g question
From: "Lee Lawson" <leejlawson () gmail com>
Date: Wed, 14 Mar 2007 10:08:12 +0000
Hi all, I am conducting a pen test of a web application built on Oracle Application Server 10g. Aside from all of the problems that this system has with XSS, especially within the SSO, I have a question regarding a specific error message that is returned. Consider the following URL: http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL This is the home page. If I replace the _pageid= value with a single quote, I am presented with the following error on the web page. Error: ORA-06502: PL/SQL: numeric or value error: character to number conversion error So a potential SQL injection point, but I cannot get anything to work with it! Within the source code of the page however, is the output from what I believe is the PLVtrc function which traces the call stack of the PL/SQL runtime engine. <!-- ----- PL/SQL Call Stack ----- object line object handle number name 430150638 601 package body PROTOCOL.WWERR_API_ERROR_UI 430150638 499 package body PROTOCOL.WWERR_API_ERROR_UI 430150638 445 package body PROTOCOL.WWERR_API_ERROR_UI 42d0aba28 3089 package body PROTOCOL.WWPOB_PAGE 42d82ed78 30 anonymous block --> My question is this...What value is this to an attacker? I can put into the report all the vague recommendations that it could be used gain potentially sensitive information about the target and may be used to mount a buffer overflow attack, but what real value does it have? Anyone seen it before? What did you recommend and why? I believe it can be eradicated by disabling the PLVtrc function, or at the very least, redirecting the output of PLVtrc to a log file and not to the web page. Any thoughts? Thanks, -- Lee J Lawson leejlawson () gmail com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Oracle Application Server 10g question Lee Lawson (Mar 14)
- Re: Oracle Application Server 10g question Joxean Koret (Mar 18)
- Re: Oracle Application Server 10g question Marco Ivaldi (Mar 18)
- <Possible follow-ups>
- Oracle Application Server 10g question Zed Qyves (Mar 18)