oracle.web.listener.txt

`  
Subject: Oracle Web Listener  
Date: Thu Nov 25 1999 12:45:35  
Author: Mnemonix  
  
  
There is a problem (seems to be a bug) with Oracle Web Listener where a  
resource can be accessed when is shouldn't be able to be accessed:  
  
Consider the following setup:  
Access to http://host/ows-bin/owa/thenormal.app _is_ allowed.  
  
However access to the owa_util package in the same dir is not allowed so  
requesting http://host/ows-bin/owa/owa_util.signature causes the Oracle Web  
Listener to throw back an HTTP 401 response ie it requires a user id and  
password. However by making a request and substituting the _ with %5f (eg.  
http://host/ows-bin/owa/owa%5futil.signature) we're granted access. Or  
using %2e instead of the dot (eg.  
http://host/ows-bin/owa/owa_util%2esignature ) does the same: we're given  
access, then too.  
  
On sites that protect access to owa_util using this method will be at great  
risk from queries using showsource, cellsprint, tableprint and listprint.  
  
Version Oracle_Web_listener2.1/1.20in2 on Solaris was tested. More recent  
and earlier versions may also be affected but that's not known yet. Anybody  
with access to such versions it - could you check?  
  
TIA  
Cheers,  
David Litchfield  
http://www.infowar.co.uk/mnemonix/  
Cerberus Information Security  
  
`