| VID |
22045 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The PL/SQL Administration Page in the Oracle 9iAS don't need an authentication process. In a default installation of Oracle 9iAS, it is possible to access the mod_plsql DAD Admin interface and anyone can administer PL/SQL DADs remotely without needing to authentication.
Whilst this doesn't allow an attacker to run commands they could attempt to change the user ID and password used to connect to the database server trying to boost privileges by using a default user login and password such as SYS, SYSTEM or CTXSYS. At the "best" they could deny service.
To check if your site is vulnerable open, you can test it like the following:
http://oracleserver/pls/portal30/admin_/
* References:
http://www.securityfocus.com/bid/2150
http://www.iss.net/security_center/static/5818.php |
| Recommendation |
1. Edit the DAD configuration file, "wdbsvr.app", located in $ORACLE_HOME$\Apache\modplsql\cfg directory.
2. Set the "adminPath" entry to the private path name that is not default path, /admin_/ .
3. Designate users who have a privilege that can access the administration pages by setting the "administrators" entry as the following (default: all):
administrators = user1,user2
4. Restart the Web server |
| Related URL |
CVE-2000-1235 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
