In recent weeks, a potential vulnerability associated with the mod_plsql
function in Oracle Application Server (OAS) and Oracle Internet
Application Server (iAS) was reported on Bugtraq. At that time Oracle
recommended workarounds to the potential vulnerability. In follow up
discussions on Bugtraq, it was suggested that Oracle should permit
customers to disallow outside users from access to all but specific,
known PL/SQL procedures, and that Oracle should disallow special
characters from being passed in procedure names to mod_plsql.

Oracle has released a patch for Oracle Internet Application Server which
introduces a new configuration parameter in mod_plsql called
exclusion_list. This parameter can be used to disallow URLs with
specific formats from being passed to mod_plsql; by default it excludes
URLs with special characters such as space, tab, newline, carriage
return, single quote, and backslash. This patch is available (patch
#1554571) on Oracle's Support Services site
(http://metalink.oracle.com/); it may be found by searching on patches
for Oracle Portal or Oracle9i Application Server Enterprise Edition.

Oracle recommends that this patch be applied to Internet Application
Server version 1.0.2.0. Internet Application Server version 1.0.2.1,
and future versions, are scheduled to include the patch.

Note also that the Apache listener in Oracle Internet Application Server
already allows customers to define "inclusion-only" rules in the
plsql.conf configuration file. This can be used to prevent outside user
access to any PL/SQL procedure except those for which outside user
access is explicitly granted in plsql.conf. As noted in Oracle's
recent posting on Bugtraq, these rules are case sensitive.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]