[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Oracle Web Listener
From:       "Posick, Steve" <steve.posick () ESPN ! COM>
Date:       1999-11-29 14:36:25
[Download RAW message or body]

We've addressed this problem by creating 2 accounts  1 that owns the
procedures to be executed (www_user) and 1 that is called by the listener
(www_connect).  www_connect is only granted execute rights on the procedure
and packages it needs to execute.  Since Oracle Stored procedure execute as
their owner, they will be able to access all the resources they need and
while the www_connect account will be limited to only what was explicitly
granted to it.


		-----Original Message-----
		From:	Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK]
		Sent:	Thursday, November 25, 1999 4:46 PM
		To:	BUGTRAQ@SECURITYFOCUS.COM
		Subject:	Oracle Web Listener

		There is a problem (seems to be a bug) with Oracle Web
Listener where a
		resource can be accessed when is shouldn't be able to be
accessed:

		Consider the following setup:
		Access to  http://host/ows-bin/owa/thenormal.app _is_
allowed.

		However access to the owa_util package in the same dir is
not allowed so
		requesting http://host/ows-bin/owa/owa_util.signature causes
the Oracle Web
		Listener to throw back an HTTP 401 response ie it requires a
user id and
		password. However by making a request and substituting the _
with %5f (eg.
		http://host/ows-bin/owa/owa%5futil.signature)  we're granted
access. Or
		using %2e instead of the dot (eg.
		http://host/ows-bin/owa/owa_util%2esignature ) does the
same: we're given
		access, then too.

		On sites that protect access to owa_util using this method
will be at great
		risk from queries using showsource, cellsprint, tableprint
and listprint.

		Version Oracle_Web_listener2.1/1.20in2 on Solaris was
tested. More recent
		and earlier versions may also be affected but that's not
known yet. Anybody
		with access to such versions it - could you check?

		TIA
		Cheers,
		David Litchfield
		http://www.infowar.co.uk/mnemonix/
		Cerberus Information Security

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic