| VID |
22172 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle 9i Application server allows anonymous user to access Stored Procedures via OWA_UTIL PL/SQL package.
Oracle 9i Application server has the OWA_UTIL package that provides web access to many Stored Procedures, is installed as part of the PL/SQL(Procedural Language/Structured Query Language) Toolkit. By default, this OWA_UTIL PL/SQL package allows anonymous user to access these procedures via web without authentication.
The following describes the list of procedures accessed through the OWA_UTIL PL/SQL package and the impacts via these procedures:
* OWA_UTIL.signature :
It's used to verify the access to OWA_UTIL package, depending on the return messages of the URL http://oracle_server/pls/dadname/owa_util.signature. If the protection is configured, an attacker can insert the space, tab, new line character for bypassing the protection as the following URL:
http://oracle_server/pls/dadname/%20owa_util.signature
http://oracle_server/pls/dadname/%0aowa_util.signature
http://oracle_server/pls/dadname/%08owa_util.signature
* OWA_UTIL.showsource :
It allows an attacker to view the source code of the specified PL/SQL application by requesting the URL "http://oracle_server/pls/dadname/owa_util.showsource?cname=books", will return the source code of book package.
* OWA_UTIL.cellsprint:
It allows an attacker to run arbitrary SELECT SQL queries. The database link table, sys.link$ has a list of other database server and the information of connection such as ID, Password, etc. By running queries about this sys.link$ table, an attacker can causes the database server to lookup the name of the other database server and then connect to it with the user ID and Password defined.
http://oracle_server/pls/dadname/owa_util.cellsprint?p_theQuery=select * from sys.dba_users@other.world
* OWA_UTIL.listprint:
It's like 'cellsprint', allows an attacker to run arbitrary SQL queries, but only returns specified columns.
* OWA_UTIL.show_query_columns :
It allows an attacker to obtain a list of the column names of the database table.
http://oracle_server/pls/dadname/owa_util.show_query_columns?ctable=sys.dba_users
As the result, since these procedures disclose the sensitive information, a remote attacker can view the source code of PL/SQL applications and obtain credentials and access to other database server, and run SQL queries on the accessible database server.
* Platforms Affected :
All(*nix, Windows) with Oracle9i Application Server 1.0.2.X
* References:
http://online.securityfocus.com/bid/4294
http://www.nextgenss.com/papers/hpoas.pdf |
| Recommendation |
Block or restrict Access to PL/SQL procedures and applications:
1. Open the PL/SQL gateway configuration file, [Oracle_Home_Dir]/Apache/modplsql/cfg/wdbsvr.app
2. Add the following rule to this file.
exclusion_list = *(*, account*, sys*, dbms_*, owa.*, htp.*, htf.*
For more information, refer to the section titled "Protecting the PL/SQL Procedures Granted to PUBLIC" in the "Oracle9iAS Security Guide" core documentation from "Getting Started" of the site http://download-west.oracle.com/docs/cd/A97329_03/index.htm |
| Related URL |
CVE-2002-0560 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
