search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Oracle9i Application Server OWA_UTIL procedures expose sensitive information

Vulnerability Note VU#307835

Original Release Date: 2002-03-11 | Last Revised: 2002-11-15


Oracle9i Application Server (iAS) provides a Procedural Language/Structured Query Language (PL/SQL) application (package) called OWA_UTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obtain credentials and access to other database servers, and run SQL queries on accessible database servers.


David Litchfield of NGSSoftware has released a paper titled Hackproofing Oracle Application Server that describes a number of security issues in Oracle's PL/SQL system. This document addresses a problem in which a number of procedures in the OWA_UTIL PL/SQL application disclose sensitive information.

Quoting from Hackproofing:

PL/SQL is Oracle’s Procedural Language extension to Structured Query Language. PL/SQL packages [applications] are essentially stored procedures in the database. The package exposes procedures that can be called directly, but also has functions that are called internally from within another package. The PL/SQL module for Apache extends the functionality of a web server, enabling the web server to execute these stored PL/SQL packages in the database. The best way to imagine the PL/SQL module is like a gateway into an Oracle database server over the Web using stored procedures.
The OWA_UTIL PL/SQL application exposes a number of procedures to the web via the Apache PL/SQL module. By default, anonymous web access is permitted to some of these procedures.

OWA_UTIL.signature returns a message containing version information about the PL/SQL module. An attacker could use this procedure to verify access to OWA_UTIL.

OWA_UTIL.showsource returns the source code of the specified PL/SQL application. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default.

OWA_UTIL.cellsprint allows an attacker to run arbitrary SQL queries. Litchfield notes that queries could be made to the$ table, which could provide credentials and access to other Oracle database servers. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default.

OWA_UTIL.listprint allows an attacker to run arbitrary SQL queries, but only returns specified columns.

OWA_UTIL.show_query_columns returns column names of a database table. This procedure could be used to obtain column names for use with OWA_UTILS.listprint.

The PL/SQL module provides a configuration parameter called exclusion_list. Procedures (as well as applications and schemas) specified in exclusion_list cannot be directly executed over the web. As noted above, Oracle9i AS v1.0.2.2 documentation states that web access to OWA_UTIL.showsource and OWA_UTIL.cellsprint is prevented by default.

The vulnerable PL/SQL module may also be used by Oracle9i Database and Oracle8i Database.


An unauthenticated, remote attacker could use procedures provided by OWA_UTIL to view the source code of PL/SQL applications, obtain access credentials for other database servers, access other database servers, and perform SQL queries on accessible database servers.


Block or Restrict Access
Unauthenticated PUBLIC access to PL/SQL procedures and applications can be restricted using the exclusion_list parameter in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/ This solution is described in Oracle Security Alert #28. For more information, read the section titled Protecting the PL/SQL Procedures Granted to PUBLIC in the Oracle iAS documentation under Using the PL/SQL Gateway.

Disable Vulnerable Service

Disable the PL/SQL service (modplsql or mod_plsql in Apache).

Vendor Information


Oracle Affected

Notified:  March 03, 2002 Updated: March 05, 2002



Vendor Statement

Oracle has released Oracle Security Alert #28.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



The CERT Coordination Center thanks David Litchfield of NGSSoftware for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-0560
CERT Advisory: CA-2002-08
Severity Metric: 10.26
Date Public: 2002-01-10
Date First Published: 2002-03-11
Date Last Updated: 2002-11-15 21:43 UTC
Document Revision: 42

Sponsored by CISA.