| VID |
22130 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
Oracle 9i AS allows to access Dynamic Monitoring Services without authentication.
The Oracle 9i AS(Application Server) includes the Apache web server and several Apache services which are installed by default. The one of these services is DMS(Dynamic Monitoring Service), is a performance evaluation and resource monitoring tool.
It provides built-in performance metrics that may be sampled while the server is up and running.
In a default installation of Oracle 9i AS, a remote attacker can gain unauthorized access to the default services such as Dynamic Monitoring Services and can gain sensitive information about the server via these services.
* References:
http://online.securityfocus.com/bid/4293
http://www.iss.net/security_center/static/8455.php |
| Recommendation |
As a workaround, edit 'httpd.conf' file to limit access to the following pages :
http://oracle_server/dms0
http://oracle_server/dms/DMSDump
http://oracle_server/servlet/DMSDump
http://oracle_server/servlet/Spy
http://oracle_server/soap/servlet/Spy
http://oracle_server/dms/AggreSpy
Refer to the following site for detail instructions:
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf |
| Related URL |
CVE-2002-0563 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
