We've addressed this problem by creating 2 accounts 1 that owns the procedures to be executed (www_user) and 1 that is called by the listener (www_connect). www_connect is only granted execute rights on the procedure and packages it needs to execute. Since Oracle Stored procedure execute as their owner, they will be able to access all the resources they need and while the www_connect account will be limited to only what was explicitly granted to it. -----Original Message----- From: Mnemonix [mailto:mnemonixat_private] Sent: Thursday, November 25, 1999 4:46 PM To: BUGTRAQat_private Subject: Oracle Web Listener There is a problem (seems to be a bug) with Oracle Web Listener where a resource can be accessed when is shouldn't be able to be accessed: Consider the following setup: Access to http://host/ows-bin/owa/thenormal.app _is_ allowed. However access to the owa_util package in the same dir is not allowed so requesting http://host/ows-bin/owa/owa_util.signature causes the Oracle Web Listener to throw back an HTTP 401 response ie it requires a user id and password. However by making a request and substituting the _ with %5f (eg. http://host/ows-bin/owa/owa%5futil.signature) we're granted access. Or using %2e instead of the dot (eg. http://host/ows-bin/owa/owa_util%2esignature ) does the same: we're given access, then too. On sites that protect access to owa_util using this method will be at great risk from queries using showsource, cellsprint, tableprint and listprint. Version Oracle_Web_listener2.1/1.20in2 on Solaris was tested. More recent and earlier versions may also be affected but that's not known yet. Anybody with access to such versions it - could you check? TIA Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/ Cerberus Information Security
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:41 PDT