|
|
|
 |
Vulnerability Note VU#168795Oracle 9iAS allows anonymous remote users to view sensitive Apache services by defaultOverviewOracle Application Server 9iAS allows remote users to access several Apache services without authentication.I. DescriptionOracle Application Server 9iAS includes the Apache Web server and several Apache services. In the default install configuration, many of these services, including Dynamic Monitoring Services, can be accessed remotely by anonymous users.II. ImpactDynamic Monitoring Services may be used without authentication by attackers to monitor the internal workings of the Oracle server.III. SolutionThe CERT/CC is currently unaware of a practical solution to this problem.The following workaround was suggested by David Litchfield and has not been tested by CERT/CC. http://oracleserver/dms0 http://oracleserver/dms/DMSDump http://oracleserver/servlet/DMSDump http://oracleserver/servlet/Spy http://oracleserver/soap/servlet/Spy http://oracleserver/dms/AggreSpy http://oracleserver/oprocmgr-status http://oracleserver/oprocmgr-service Systems Affected
References
Thanks to David Litchfield for reporting this vulnerability. This document was written by Shawn Van Ittersum.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Get Adobe Reader