The Oracle PL/SQL Gateway fails to properly validate HTTP requests. This may allow a remote attacker to execute SQL commands on an Oracle database.
Oracle uses the Oracle PL/SQL Gateway to access Oracle databases over HTTP. A lack of validation in the Oracle PL/SQL Gateway may allow a remote attacker to bypass Oracle's security restrictions and gain access to critical packages and procedures. The Oracle PL/SQL Gateway uses a list of keywords to restrict access to powerful packages and procedures. Upon receiving a request to execute a procedure, the PL/SQL Gateway compares the request to the list to determine if that procedure attempts to access any restricted procedures or packages. However, a remote attacker may be able to bypass this check by sending a specially crafted HTTP request to the Oracle PL/SQL Gateway.
Note that all Oracle installations with the HTTP Server (Apache) enabled may be affected by this vulnerability. For more information see Oracle Metalink Note 311536.1.
If a remote attacker sends a specially crafted HTTP request to a vulnerable Oracle installation, that attacker may be able to execute SQL commands with elevated privileges.
Apply a patch
Set always_describe or PlsqlAlwaysDescribeProcedure parameters to ON
This vulnerability was reported by David Litchfield of NGSSoftware. Information used in this document came from Integrigy, Alexander Kornbrust of red-database security, and Vladimir Zakharychev of Webrecruiter.
This document was written by Jeff Gennari.
|Date First Published:||2006-01-27|
|Date Last Updated:||2006-04-19 15:20 UTC|