|
Vulnerability Oracle Affected Oracle Web Listener Description Mnemonix (David Litchfield) found following. There is a problem (seems to be a bug) with Oracle Web Listener where a resource can be accessed when is shouldn't be able to be accessed. Consider the following setup. Access to: http://host/ows-bin/owa/thenormal.app IS allowed. However access to the owa_util package in the same dir is not allowed so requesting: http://host/ows-bin/owa/owa_util.signature causes the Oracle Web Listener to throw back an HTTP 401 response ie. it requires a user id and password. However by making a request and substituting the _ with %5f, eg. http://host/ows-bin/owa/owa%5futil.signature we're granted access. Or using %2e instead of the dot, eg. http://host/ows-bin/owa/owa_util%2esignature does the same: we're given access, then too. On sites that protect access to owa_util using this method will be at great risk from queries using showsource, cellsprint, tableprint and listprint. Version Oracle_Web_listener2.1/1.20in2 on Solaris was tested. More recent and earlier versions may also be affected but that's not known yet. Solution Steve Posick addressed this problem by creating 2 accounts 1 that owns the procedures to be executed (www_user) and 1 that is called by the listener (www_connect). www_connect is only granted execute rights on the procedure and packages it needs to execute. Since Oracle Stored procedure execute as their owner, they will be able to access all the resources they need and while the www_connect account will be limited to only what was explicitly granted to it.