[38655] in bugtraq
Webcache Client Requests Bypass OHS mod_access Restrictions
daemon@ATHENA.MIT.EDU (Alexander Kornbrust)
Thu Apr 28 17:27:39 2005
Date: 28 Apr 2005 17:23:36 -0000
Message-ID: <20050428172336.16058.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Alexander Kornbrust <ak@red-database-security.com>
To: bugtraq@securityfocus.com
Red-Database-Security GmbH Research Advisory
Name Webcache Client Requests Bypass OHS mod_access Restrictions
Systems Affected Oracle HTTP Server
Severity Medium Risk
Category Bypass protected URLs via Webcache
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 26 Apr 2005 (V 1.00)
Advisory number AKSEC2003-015
Description
###########
Without the parameter "UseWebcacheIP ON" it is possible to bypass Oracle HTTP Server
mod_access restrictions.
More details available:
#######################
http://www.red-database-security.com/advisory/oracle_webcache_bypass.html
Patch Information
#################
Add the new parameter "UseWebCacheIP ON" to the httpd.conf
History:
########
01 October 2003 Oracle secalert was informed
23 October 2003 Bug confirmed
26 April 2005 Advisory released
About Red-Database-Security GmbH
#################################
Red-Database-Security GmbH is a specialist in Oracle Security.
http://www.red-database-security.com
