| VID |
12047 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle9i Application Server has a buffer overflow vulnerability in PL/SQL Apache module via a long request of help page.
Oracle 9i Application Server uses the Apache HTTP server to provide web services, including access to Stored Procedures via the PL/SQL module(modplsql or mod_plsql). The PL/SQL Apache module for Oracle 9iAS also allows remote users to administer the DAD(Database Access Descriptors) and access help pages. Normally, access to the DAD("/admin_") is restricted by username and password, however, access to the help page isn't and anonymous user can access to it. This PL/SQL module has a buffer overflow vulnerability, which arises when a remote attacker sends an excessively long request of help page as the following:
GET /pls/portal30/admin_/help/AAAAAA....['A'*215].....AAAAAAAA HTTP/1.0
Such request can overflow a memory buffer and overwrite the saved return address on the stack. As a result, using this vulnerability, a remote attacker can simply crash the Apache server or execute the arbitrary code of the attacker's choice. On Windows NT or 2000, the Apache service typically runs in the security context of the SYSTEM account, thus the arbitrary code is executed with it and a remote attacker can gain complete control of the system.
* Platforms Affected :
Oracle9i Application Server 1.0.2.X any version
* References:
http://online.securityfocus.com/bid/3726
http://www.iss.net/security_center/static/7727.php |
| Recommendation |
Apply the Patch #2128936 from Oracle's MetaLink web site:
1. Go to the Oracle's MetaLink web site : http://metalink.oracle.com
2. Log in to MetaLink
3. Select the "Patches" button and enter patch number 2128936
4. Click the "Submit" button to download it.
-- OR --
As a workaround, change the default "/admin_" path:
1. Open the file "/Apache/modplsql/cfg/wdbsvr.app" in the [Oracle_Home_Dir].
2. Change the "adminPath" entry to something else. |
| Related URL |
CVE-2001-1216 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
