Vulnerability

    owning

Affected

    Oracle Webserver 2.1
    Oracle  Webserver  1.0  (included  to  Oracle7  Server and Oracle7
    Workgroup Server)

Description

    Kari Hurtta  found following.   You should  use same  criteria for
    decide who got password for oracle account than you use to  decide
    who got password for root account.  Why is that?  Well,

        1) Oracle Webserver comes as setuid root
        2) Configuration files  and software tree  is owned by  oracle
           account.

    That allows oracle account to do control what is normally left  to
    root account:

        1) oracle  account  can  select  under  what  account   Oracle
           Webserver operates (by editing configuration file).

        2) Oracle  Webserver  2.1  opens  log  file as root so  oracle
           account can  append to  any file  (by editing configuration
           file).

    Notice  that  even  if  2)  is  bug, that is irrelevent because 1)
    supersedes that (and that looks planned feature.)

Solution

    Ask Oracle guys.  Till then  you should check do you trust  people
    with oracle account password.