[18359] in bugtraq
Re: Potential Vulnerabilities in Oracle Internet Application
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Dec 27 20:10:47 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012262139170.25893-100000@dione.ids.pl>
Date: Tue, 26 Dec 2000 21:42:14 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Rajiv Sinha <rajiv.sinha@ORACLE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A455E63.4ACAEBB7@oracle.com>
On Sat, 23 Dec 2000, Rajiv Sinha wrote:
> For modplsql in iAS, a second solution is to disable access to URLs
> which match certain criteria. For example, in the case of SYS, OWA,
> and DBMS this may be done by adding the following rules to the
> plsql.conf file:
> /.../
> Note also that the plsql.conf file can be configured to include rules
> which prevent access to URLs containing specific SQL statements such as
> select, insert, grant, etc., keeping in mind that rules are case
> sensitive.
This fix is broken by design:
http://server/pls/somedad/%0aselect...
...and so on. You should disallow *everything* except known procedure
names you really *want* to be called from outside world, and disallow
*any* suspected special characters (spaces, tabs, cr/lfs and possibly
others).
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
