Bugtraq: Re: Workaround for unpatched Oracle PLSQL Gateway flaw

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Workaround for unpatched Oracle PLSQL Gateway flaw

From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 8 Feb 2006 19:48:32 -0000

So, like, what abouthttp://www.integrigy.com/info/IntegrigySecurityAnalysis-MODPLSQLVuln.pdf

This provides an excellent analysis of the problem. Further, it discussesthe recommendation made by Vladimir Zakharychev from Webrecruiter. Thisrecommendation is to set the "always_describe" /"PlsqlAlwaysDescribeProcedure" to "yes" / "on" in the "wdbsvr.app" /"dads.conf" file. This is a simple workaround and, as I can confirm, it doesprevent exploitation. Why on earth didn't Oracle make this simplerecommendation in the January 2006 CPU?

I hereby withdraw my workaround and would encourage everyone to adoptVladimir's.


Cheers,
David Litchfield

By Date By Thread

Current thread:

Re: Workaround for unpatched Oracle PLSQL Gateway flaw x (Feb 01)
- More on the workaround for the unpatched Oracle PLSQL Gateway flaw David Litchfield (Feb 02)
- Re: Workaround for unpatched Oracle PLSQL Gateway flaw ad () heapoverflow com (Feb 04)
- <Possible follow-ups>
- Re: Workaround for unpatched Oracle PLSQL Gateway flaw a (Feb 08)
  - Re: Workaround for unpatched Oracle PLSQL Gateway flaw David Litchfield (Feb 08)