Re: Correction - Oracle Apache+WebDB info leakege

From: Scalise, Marzio (marzioscaliseat_private)
Date: Mon Feb 04 2002 - 08:03:55 PST

Next message: Oliver Petruzel: "BS Generator Worm/defacements??"

Previous message: Elan Hasson: "RE: Reported Kazaa and Morpheus vulnerabilities"
Maybe in reply to: Leandro Malaquias: "Correction - Oracle Apache+WebDB info leakege"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>While I was going through the Oracle Apache+WebDB vulnerability, I found
>something else also
>interesting, I don't know if anyone has posted this before, but here it
goes
>any way.

>If you reques the following: http://>:<port>/pls/admin
>The following info is displayed:
>Sun, 3 Feb 2002 19:57:12 GMT
>No DAD configuration Found
>  DAD name:
>  PROCEDURE  :
>  URL        : http://>:<port>/pls/admin
>  PARAMETERS :
>  ===========
>
>  ENVIRONMENT:
>  ============
>    PLSQL_GATEWAY=WebDb
>    GATEWAY_IVERSION=2
>    SERVER_SOFTWARE=Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_perl/1.22

[CUT...]

Hi
Yes, Michal Zalewski has posted this bug.

http://www.securityfocus.com/archive/1/153186


There are 2 bug for Web DB.
1) you can "view" the DAD configuration on the Database server:

http://>/pls/<name_of_dad>/admin_/gateway.htm

2) the oracle webdb accept a PL-SQL procedure on the web, for example if you
write in the browser:

http://>:<port>/pls/<name_of_dad>/select%09*%09from%09cat%01 the
following info is displayed:

ORA-06550 row 7
PLS-00428 A INTO clause waited in this instruction .. (sorry i have webdb in
italian and i translate word by word)
PL/SQL: SQL statement ignored


hope this help 


 
 		Marzio Scalise 
 		Information Risk Management

 		KPMG S.p.A.
 		pgp key is available at:                         
 		http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x606359A9
 


**************************************************************************
The information in this email is confidential and may be legally
privileged.
It is intended solely for the addressee. Access to this email by
anyone else is unauthorized. 

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. When addressed to 
our clients any opinions or advice contained in this email are 
subject to the terms and conditions expressed in the governing
KPMG client engagement letter.         
**************************************************************************

Next message: Oliver Petruzel: "BS Generator Worm/defacements??"
Previous message: Elan Hasson: "RE: Reported Kazaa and Morpheus vulnerabilities"
Maybe in reply to: Leandro Malaquias: "Correction - Oracle Apache+WebDB info leakege"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 12:05:08 PST