Oracle PL/SQL Gateway Web Admin Interface Null Authentication

2002-01-10T00:00:00
ID OSVDB:9472
Type osvdb
Reporter David Litchfield(david@ngssoftware.com)
Modified 2002-01-10T00:00:00

Description

Vulnerability Description

Oracle Application Server contains a flaw that may allow a remote unauthenticated malicious user to perform PL/SQL application administrative functions. The issue is triggered when an attacker directly requests the mod_plsql gateway administration web interface. It is possible that the flaw may allow modification of Database Access Descriptors (DAD) and cache settings, resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

1) Change the adminPath entry located in $ORACLE_HOME$\Apache\modplsql\cfg\wdbsvr.app to a path name that does not reveal the exact location of the true administration pages.

2) Secure the mod_plsql administration pages by either setting the parameter "administrators" or by setting the "adminDAD" parameter in the DAD configuration file $ORACLE_HOME/Apache/modplsql/cfg/wdbsvr.app.

Short Description

Oracle Application Server contains a flaw that may allow a remote unauthenticated malicious user to perform PL/SQL application administrative functions. The issue is triggered when an attacker directly requests the mod_plsql gateway administration web interface. It is possible that the flaw may allow modification of Database Access Descriptors (DAD) and cache settings, resulting in a loss of integrity.

Manual Testing Notes

http://[victim]/pls/portal30/admin_/gateway.htm

References:

Vendor Specific Advisory URL Security Tracker: 1009263 Related OSVDB ID: 706 Other Advisory URL: http://www.nextgenss.com/papers/hpoas.pdf Nessus Plugin ID:11452 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 ISS X-Force ID: 8452 CVE-2002-0561 CERT VU: 611776 CERT: CA-2002-08 Bugtraq ID: 4292