|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Oracle Web Listener
Mnemonix (mnemonix
GLOBALNET.CO.UK)
Thu, 25 Nov 1999 21:45:35 -0000
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Arvel Hathcock: "Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability"
- Previous message: Jonathan M. Gilligan: "Final word: Eudora and malicious HTML"
There is a problem (seems to be a bug) with Oracle Web Listener where a
resource can be accessed when is shouldn't be able to be accessed:
Consider the following setup:
Access to http://host/ows-bin/owa/thenormal.app _is_ allowed.
However access to the owa_util package in the same dir is not allowed so
requesting http://host/ows-bin/owa/owa_util.signature causes the Oracle Web
Listener to throw back an HTTP 401 response ie it requires a user id and
password. However by making a request and substituting the _ with %5f (eg.
http://host/ows-bin/owa/owa%5futil.signature) we're granted access. Or
using %2e instead of the dot (eg.
http://host/ows-bin/owa/owa_util%2esignature ) does the same: we're given
access, then too.
On sites that protect access to owa_util using this method will be at great
risk from queries using showsource, cellsprint, tableprint and listprint.
Version Oracle_Web_listener2.1/1.20in2 on Solaris was tested. More recent
and earlier versions may also be affected but that's not known yet. Anybody
with access to such versions it - could you check?
TIA
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/
Cerberus Information Security
- Next message: Arvel Hathcock: "Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability"
- Previous message: Jonathan M. Gilligan: "Final word: Eudora and malicious HTML"
This archive was generated by hypermail 2.0b3 on Mon Nov 29 1999 - 12:30:34 CST