|
Family: Databases --> Category: infos
Oracle 9iAS OWA UTIL access Vulnerability Scan
Vulnerability Scan Summary Attempts to access the OWA_UTIL program directly
Detailed Explanation for this Vulnerability Test
Oracle 9iAS can provide access to the PL/SQL application OWA_UTIL that
provides web access to some stored procedures. These procuedures,
without authentication, can allow users to access sensitive information
such as source code of applications, user credentials to other database
servers and run arbitrary SQL queries on servers accessed by the application
server.
Solution:
Apply the appropiate patch listed
in http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
which details how you can restrict unauthenticated access to procedures
using the exclusion_list parameter in the PL/SQL gateway configuration file:
/Apache/modplsql/cfg/wdbsvr.app.
More information:
http://www.kb.cert.org/vuls/id/307835
http://www.cert.org/advisories/CA-2002-08.html
http://otn.oracle.co.kr/docs/oracle78/was3x/was301/cart/psutil.htm
Also read:
Hackproofing Oracle Application Server from NGSSoftware:
available at http://www.nextgenss.com/papers/hpoas.pdf
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|