Home page logo

pen-test logo Penetration Testing mailing list archives

Oracle Application Server 10g question
From: "Lee Lawson" <leejlawson () gmail com>
Date: Wed, 14 Mar 2007 10:08:12 +0000

Hi all,

I am conducting a pen test of a web application built on Oracle
Application Server 10g.  Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.

Consider the following URL:

This is the home page.  If I replace the _pageid= value with a single
quote, I am presented with the following error on the web page.
Error: ORA-06502: PL/SQL: numeric or value error: character to number
conversion error

So a potential SQL injection point, but I cannot get anything to work
with it!  Within the source code of the page however, is the output
from what I believe is the PLVtrc function which traces the call stack
of the PL/SQL runtime engine.

<!-- ----- PL/SQL Call Stack -----
 object      line  object
 handle    number  name
430150638       601  package body PROTOCOL.WWERR_API_ERROR_UI
430150638       499  package body PROTOCOL.WWERR_API_ERROR_UI
430150638       445  package body PROTOCOL.WWERR_API_ERROR_UI
42d0aba28      3089  package body PROTOCOL.WWPOB_PAGE
42d82ed78        30  anonymous block

My question is this...What value is this to an attacker?  I can put
into the report all the vague recommendations that it could be used
gain potentially sensitive information about the target and may be
used to mount a buffer overflow attack, but what real value does it

Anyone seen it before?  What did you recommend and why?

I believe it can be eradicated by disabling the PLVtrc function, or at
the very least, redirecting the output of PLVtrc to a log file and not
to the web page.

Any thoughts?


Lee J Lawson
leejlawson () gmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]