Oracle Application Server Lets Remote Users Request Alternate DADs to Bypass Authentication
|
|
SecurityTracker Alert ID: 1009263 |
|
SecurityTracker URL: http://securitytracker.com/id/1009263
|
|
CVE Reference:
CAN-2002-0561
(Links to External Site)
|
Date: Feb 29 2004
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.0.2.x
|
Description:
A vulnerability was reported in the Oracle Application Server in the PL/SQL Gateway web-based administration interface. A remote user may be able to access the system and modify Database Access Descriptor (DAD) settings.
In January 2002, NGSSoftware reported that a remote user may be able to bypass the authentication process.
A remote user can reportedly specify an alternate DAD in an HTTP request to gain access to the system without authenticating.
|
Impact:
A remote user may be able to gain access to the application.
|
Solution:
The vendor has described configuration steps to prevent this vulnerability in their security alert:
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
|
Vendor URL: otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 6 Feb 2002 06:43:59 -0000
Subject: Hackproofing Oracle Application Server paper
|
Howdy,
I've written a white-paper, "Hackproofing Oracle Application Server." It
covers vulnerable areas and what must done to secure the box. Anyone
interested may get a copy from http://www.nextgenss.com/papers/hpoas.pdf .
Cheers,
David Litchfield
http://www.nextgenss.com/
|
|
