5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
6.1 Medium
AI Score
Confidence
Low
0.85 High
EPSS
Percentile
98.5%
Oracle 9iAS can provide access to the PL/SQL application OWA_UTIL that
provides web access to some stored procedures.
# SPDX-FileCopyrightText: 2003 Javier Fernandez-Sanguino
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:oracle:http_server";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.11225");
script_version("2023-08-01T13:29:10+0000");
script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_cve_id("CVE-2002-0560");
script_name("Oracle 9iAS OWA UTIL access");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2003 Javier Fernandez-Sanguino");
script_family("Web application abuses");
script_dependencies("gb_oracle_app_server_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("oracle/http_server/detected");
script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/307835");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/4294");
script_xref(name:"URL", value:"http://www.cert.org/advisories/CA-2002-08.html");
script_xref(name:"URL", value:"http://otn.oracle.co.kr/docs/oracle78/was3x/was301/cart/psutil.htm");
script_xref(name:"URL", value:"http://www.nextgenss.com/papers/hpoas.pdf");
script_xref(name:"URL", value:"http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf");
script_tag(name:"summary", value:"Oracle 9iAS can provide access to the PL/SQL application OWA_UTIL that
provides web access to some stored procedures.");
script_tag(name:"impact", value:"These procuedures, without authentication, can allow users to access
sensitive information such as source code of applications, user credentials to other
database servers and run arbitrary SQL queries on servers accessed by the application
server.");
script_tag(name:"solution", value:"Apply the appropriate patch listed
in the references.
Details how you can restrict unauthenticated access to procedures
using the exclusion_list parameter in the PL/SQL gateway configuration file:
/Apache/modplsql/cfg/wdbsvr.app.");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");
if(!port = get_app_port(cpe:CPE))
exit(0);
if(!get_app_location(cpe:CPE, port:port, nofork:TRUE))
exit(0);
# Make a request for the owa util file
owas = make_list(
# Note: sometimes access to this file seems to return 0 bytes
"/ows-bin/owa/owa_util.signature",
# The following mutations are derived from
# http://archives.neohapsis.com/archives/ntbugtraq/1999-q4/0023.html
# and might provide access to it in some cases were it has
# been prevented through authentication
"/ows-bin/owa/owa_util%2esignature",
"/ows-bin/owa/owa%5futil.signature",
"/ows-bin/owa/owa%5futil.signature",
# These are extracted from David Lichtfield's excellent paper:
"/ows-bin/owa/%20owa_util.signature",
"/ows-bin/owa/%0aowa_util.signature",
"/ows-bin/owa/%08owa_util.signature",
# These are some other procedures derived from the same mail
"/ows-bin/owa/owa_util.showsource",
"/ows-bin/owa/owa_util.cellsprint",
"/ows-bin/owa/owa_util.tableprint",
"/ows-bin/owa/owa_util.listprint",
"/ows-bin/owa/owa_util.show_query_columns" );
# Note that instead of ows-bin/owa any combination of
# pls/dadname could be used: pls/simpledad, pls/sys...
VULN = FALSE;
report = 'Access to OWA_UTIL is possible through the following URLs:\n';
foreach owa( owas ) {
req = http_get( item:owa, port:port );
r = http_keepalive_send_recv( port:port, data:req );
if( r == NULL ) exit( 0 );
if( "This page was produced by the PL/SQL Web ToolKit" >< r || "DAD name:" >< r || "PATH_INFO=/ows-bin/owa/" >< r ) {
VULN = TRUE;
report += '\n' + http_report_vuln_url( port:port, url:owa, url_only:TRUE );
}
}
if( VULN ) {
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );