>While I was going through the Oracle Apache+WebDB vulnerability, I found >something else also >interesting, I don't know if anyone has posted this before, but here it goes >any way. >If you reques the following: http://>:<port>/pls/admin >The following info is displayed: >Sun, 3 Feb 2002 19:57:12 GMT >No DAD configuration Found > DAD name: > PROCEDURE : > URL : http:// >:<port>/pls/admin > PARAMETERS : > =========== > > ENVIRONMENT: > ============ > PLSQL_GATEWAY=WebDb > GATEWAY_IVERSION=2 > SERVER_SOFTWARE=Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_perl/1.22 [CUT...] Hi Yes, Michal Zalewski has posted this bug. http://www.securityfocus.com/archive/1/153186 There are 2 bug for Web DB. 1) you can "view" the DAD configuration on the Database server: http:// >/pls/<name_of_dad>/admin_/gateway.htm 2) the oracle webdb accept a PL-SQL procedure on the web, for example if you write in the browser: http:// >:<port>/pls/<name_of_dad>/select%09*%09from%09cat%01 the following info is displayed: ORA-06550 row 7 PLS-00428 A INTO clause waited in this instruction .. (sorry i have webdb in italian and i translate word by word) PL/SQL: SQL statement ignored hope this help Marzio Scalise Information Risk Management KPMG S.p.A. pgp key is available at: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x606359A9 ************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. **************************************************************************
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 12:05:08 PST