| VID |
22349 |
| Severity |
40 |
| Port |
7778, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle9iAS Application Server is vulnerable to an access restriction bypass vulnerability. Oracle9iAS Application Server can configure a list of forbidden URIs. This is accomplished using 'mod_access'. Oracle9iAS Application Server versions 1.0.2 to 10.x, when UseWebcacheIP is disabled, could allow a remote attacker to bypass mod_access restrictions, caused by a vulnerability when using the Web Cache on port 7778. By using the Web Cache on port 7778 rather than Oracle HTTP Server on port 7779 directly, a remote attacker could access restricted URLs on the Web server.
* References:
http://www.red-database-security.com/advisory/oracle_webcache_bypass.html
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=263943.1
http://secunia.com/advisories/15143/
* Platforms Affected:
Oracle, Oracle9iAS Application Server 1.0.2 to 10.x
Any operating system Any version |
| Recommendation |
Apply the patch for this vulnerability, available from the Oracle Support Web page at http://www.oracle.com/support/index.html
As a workaround, add "UseWebCacheIP ON" to the Oracle HTTP Server(OHS)'s httpd.conf. |
| Related URL |
CVE-2005-1383 (CVE) |
| Related URL |
13418 (SecurityFocus) |
| Related URL |
20311 (ISS) |
|
