Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Correction - Oracle Apache+WebDB info leakege

From: "Scalise, Marzio" <marzioscalise () KPMG it>
Date: Mon, 4 Feb 2002 17:03:55 +0100 


While I was going through the Oracle Apache+WebDB vulnerability, I found
something else also
interesting, I don't know if anyone has posted this before, but here it

goes

any way.



If you reques the following: http://<hostname>:<port>/pls/admin
The following info is displayed:
Sun, 3 Feb 2002 19:57:12 GMT
No DAD configuration Found
 DAD name:
 PROCEDURE  :
 URL        : http://<hostname>:<port>/pls/admin
 PARAMETERS :
 ===========

 ENVIRONMENT:
 ============
   PLSQL_GATEWAY=WebDb
   GATEWAY_IVERSION=2
   SERVER_SOFTWARE=Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_perl/1.22


[CUT...]

Hi
Yes, Michal Zalewski has posted this bug.

http://www.securityfocus.com/archive/1/153186


There are 2 bug for Web DB.
1) you can "view" the DAD configuration on the Database server:

http://<host>/pls/<name_of_dad>/admin_/gateway.htm

2) the oracle webdb accept a PL-SQL procedure on the web, for example if you
write in the browser:

http://<hostname>:<port>/pls/<name_of_dad>/select%09*%09from%09cat%01 the
following info is displayed:

ORA-06550 row 7
PLS-00428 A INTO clause waited in this instruction .. (sorry i have webdb in
italian and i translate word by word)
PL/SQL: SQL statement ignored


hope this help 


 
                Marzio Scalise 
                Information Risk Management

                KPMG S.p.A.
                pgp key is available at:                         
                http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x606359A9
 


**************************************************************************
The information in this email is confidential and may be legally
privileged.
It is intended solely for the addressee. Access to this email by
anyone else is unauthorized. 

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. When addressed to 
our clients any opinions or advice contained in this email are 
subject to the terms and conditions expressed in the governing
KPMG client engagement letter.         
**************************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: