Firstly, if the Portal Listener and modplsql are installed without changing the default configuration, any user can access the administrative pages for those services.
Secondly, if public access is granted to PL/SQL procedures which access an Oracle database, it may be possible to request from the web server a URL which accesses these procedures. If this is the case, then unauthorized SQL statements could be executed on a back-end Oracle database.
There are two approaches to working around the second vulnerability. The first is to revoke public access to procedures which can potentially execute SQL commands, such as OWA, SYS, and DBMS. For modplsql, a second approach is to deny access to all URLs except those for procedures which have a legitimate reason to be called through the web interface. This can be done by modifying the plsql.conf file. An example of a rule which denies access to all procedures under the pls directory is the following:
<Location /pls/*/*> SetHandler pls_handler Order deny,allow Deny from all </Location>Also, users should install patch #1554571 to Internet Application Server 1.0.2.0. (Later versions will include the patch.) This patch introduces a new configuration parameter, exclusion_list, which can be used to prevent special characters from being passed to mod_plsql.