Vulnerability

    Oracle

Affected

    Oracle Web Listener

Description

    Mnemonix (David Litchfield) found  following.  There is  a problem
    (seems to be a bug) with Oracle Web Listener where a resource  can
    be accessed when  is shouldn't be  able to be  accessed.  Consider
    the following setup.  Access to:

        http://host/ows-bin/owa/thenormal.app

    IS allowed.   However access to  the owa_util package  in the same
    dir is not allowed so requesting:

        http://host/ows-bin/owa/owa_util.signature

    causes the Oracle Web Listener to throw back an HTTP 401  response
    ie. it  requires a  user id  and password.   However by  making  a
    request and substituting the _ with %5f, eg.

        http://host/ows-bin/owa/owa%5futil.signature

    we're granted access.  Or using %2e instead of the dot, eg.

        http://host/ows-bin/owa/owa_util%2esignature

    does  the  same:  we're  given  access,  then  too.  On sites that
    protect access to owa_util using this method will be at great risk
    from  queries   using  showsource,   cellsprint,  tableprint   and
    listprint.

    Version  Oracle_Web_listener2.1/1.20in2  on  Solaris  was  tested.
    More recent and earlier versions  may also be affected but  that's
    not known yet.

Solution

    Steve Posick addressed this problem by creating 2 accounts  1 that
    owns the procedures to be executed (www_user) and 1 that is called
    by  the  listener  (www_connect).   www_connect  is  only  granted
    execute rights on the procedure and packages it needs to  execute.
    Since Oracle Stored  procedure execute as  their owner, they  will
    be  able  to  access  all  the  resources  they need and while the
    www_connect account will  be limited to  only what was  explicitly
    granted to it.