|
|
| |
| Oracle Web Listener is used by Oracle's product as the connecting link between the Oracle Application server and the Web - the product acts as a complete HTTP server. This part of the Oracle bundle contains a security hole that allows remote attackers to gain access to files they shouldn't have access to (files which their access has been protected, via permissions or via username password validation). |
| |
Credit:
This information has been provided by: Mnemonix.
The solution was suggested by: Steve Posick
|
| |
Vulnerable systems:
Oracle Web listener 2.1/1.20in2 (under Solaris)
Consider the following setup:
Access to:
http://host/ows-bin/owa/thenormal.app
Is allowed.
However access to the 'owa_util' package in the same dir is not allowed so requesting:
http://host/ows-bin/owa/owa_util.signature
Causes the Oracle Web Listener to throw back an HTTP 401 response (It requires a user id and password). However by making a request and substituting the '_' with an %5f (eg. http://host/ows-bin/owa/owa%5futil.signature ) the OWL will grant us access. Using %2e instead of the dot (eg. http://host/ows-bin/owa/owa_util%2esignature ) has the same affect.
Sites that protect access to 'owa_util' using this method will be at great risk from queries using showsource, cellsprint, tableprint and listprint.
Possible solution
This problem can be solved by creating 2 accounts: one that owns the procedures to be executed (www_user) and another that is called by the listener (www_connect). www_connect is only granted execute rights on the procedure and packages it needs to execute. Since Oracle Stored procedure execute as their owner, they will be able to access all the resources they need and while the www_connect account will be limited to only what was explicitly granted to it.
|
|
|
|
|
|
|
|
