Oracle Webcache Requests OHS mod_access Restriction Bypass

2005-04-26T10:02:35
ID OSVDB:15908
Type osvdb
Reporter Alexander Kornbrust(ak@red-database-security.com)
Modified 2005-04-26T10:02:35

Description

Vulnerability Description

Oracle Application Server contains a flaw that may lead to an unauthorized information disclosure. It is possible to restrict a list of URLs in Oracle HTTP Server (OHS, port 7779) by using the 'mod_access' function. However these restricted URLs can be accessed via the Oracle Web Cache on port 7778, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades to correct this issue. However, Oracle Corporation has released a patch for Oracle HTTP Server (OHS) to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Add "UseWebCacheIP ON" to httpd.conf.

Short Description

Oracle Application Server contains a flaw that may lead to an unauthorized information disclosure. It is possible to restrict a list of URLs in Oracle HTTP Server (OHS, port 7779) by using the 'mod_access' function. However these restricted URLs can be accessed via the Oracle Web Cache on port 7778, resulting in a loss of confidentiality.

Manual Testing Notes

(Port 7778 = Webcache, Port 7779 = OHS)

The following URLs are NOT protected if you access them via Webcache: http://[victim]:7778/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name http://[victim]:7778/server-status http://[victim]:7778/dms0

The following URLs are protected: http://[victim]:7779/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name http://[victim]:7779/server-status http://[victim]:7779/dms0

References:

Vendor URL: http://www.oracle.com/ Vendor Specific Solution URL: http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=263943.1 Secunia Advisory ID:15143 Other Advisory URL: http://www.red-database-security.com/advisory/oracle_webcache_bypass.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0626.html Keyword: AKSEC2003-015,TCP port 7778,TCP port 7779 CVE-2005-1383 Bugtraq ID: 13418