OSVDB ID: 22719 Title: Oracle Multiple Products PL/SQL Gateway PLSQLExclusion List Bypass |
Info |
|
|
Dates |
||||
|
|
Description |
Oracle PL/SQL Gateway (a component of iAS, OAS and the Oracle HTTP Server) contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is caused by a failure to filter user input when referencing the PLSQLExclusion list. This flaw may lead to a loss of integrity. |
Classification |
Location:
Remote / Network Access
Attack Type: Input Manipulation Impact: Loss of Integrity Exploit: Exploit Public Disclosure: OSVDB Verified OSVDB: Web Related |
Solution |
Oracle has released a patch (Jan 2006) to address this vulnerability, but subsequent testing has revealed it does not fully mitigate the issue. It is possible to correct the flaw by implementing the following workaround: Edit the wdbsvr.app file and change the 'always_describe' option to 'yes'. Edit the dads.conf file and change the 'PlsqlAlwaysDescribeProcedure' to 'on'. |
Products |
|
References |
|
Credit |
|
ngssoftware.com - NGSSoftware