Oracle vulnerabilities

Updated (3.1.4)

Impact

A remote user could execute arbitrary SQL commands or gain unauthorized access to pages which should be restricted.

Background

The Oracle Internet Application Server (iAS) integrates the capabilities of the Oracle database and Application Server into a web-based service which is accessible from an HTTP browser.

The Problem

There are two possible vulnerability in iAS.

Firstly, if the Portal Listener and modplsql are installed without changing the default configuration, any user can access the administrative pages for those services.

Secondly, if public access is granted to PL/SQL procedures which access an Oracle database, it may be possible to request from the web server a URL which accesses these procedures. If this is the case, then unauthorized SQL statements could be executed on a back-end Oracle database.

Resolution

To fix the first vulnerability, modify the wdbsvr.app file on WebDB/Portal so that the administrators variable is set to one or more users who are allowed administrator level access. Also, it is a good idea to change the path name which is used to access the administrative pages, which is /pls/admin_/gateway.htm by default.

There are two approaches to working around the second vulnerability. The first is to revoke public access to procedures which can potentially execute SQL commands, such as OWA, SYS, and DBMS. For modplsql, a second approach is to deny access to all URLs except those for procedures which have a legitimate reason to be called through the web interface. This can be done by modifying the plsql.conf file. An example of a rule which denies access to all procedures under the pls directory is the following:

<Location /pls/*/*>
  SetHandler pls_handler
  Order deny,allow
  Deny from all
</Location>
Also, users should install patch #1554571 to Internet Application Server 1.0.2.0. (Later versions will include the patch.) This patch introduces a new configuration parameter, exclusion_list, which can be used to prevent special characters from being passed to mod_plsql.

Where can I read more about this?

This vulnerability was dicussed in three postings to Bugtraq: 153010, 153186, and 155881.