Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabil lity

Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabil lity

From: Jan Pruner <JPruner_at_email.cz>
Date: Wed, 28 Jan 2004 11:55:11 +0100
Message-ID: <4017950F.4010304@email.cz> 





A lot of people running Oracle on WINDOWS.
They simply do not know about the posibility to compile own httpd with 
SSL library.



JP



MacGregor, Ian A. wrote:


> How many people actually run the HTTP server which comes with the database?  Isn't that pleading for someone to commit mischief.  It was too long ago that an SSL problem  was announced also dealing with the HTTP server.  The attack vector employs iSQL is that only available through the "database" HTTP server or can it be run via iAS.

> 

> 

> Ian MacGregor

> Stanford Linear Accelerator Center

> ian_at_slac.stanford.edu

> 

> 

> -----Original Message-----

> From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com] 

> Sent: Tuesday, January 27, 2004 5:26 PM

> To: oracle-l_at_freelists.org

> Subject: [oracle-l] Oracle HTTP Server Cross Site Scripting Vulnerabillity

> 

> 

> ----- Forwarded by Jared Still/Radisys_Corporation/US on 01/27/2004 05:25 

> PM -----

> 

> "Rafel Ivgi, The-Insider" <theinsider_at_012.net.il>

>  01/24/2004 01:54 AM

>  Please respond to "Rafel Ivgi, The-Insider"

> 

>  

>         To:     "bugtraq" <bugtraq_at_securityfocus.com>

>         cc:     "securitytracker" <bugs_at_securitytracker.com>

>         Subject:        Oracle HTTP Server Cross Site Scripting Vulnerabillity

> 

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> Software:        Oracle HTTP Server Powered by Apache

> Vendor:           http://www.apache.com

>                          http://www.oracle.com

> Versions:        Oracle HTTP Server Powered by Apache/1.3.22 (Win32)

> mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25

> Platforms:       Windows

> Bug:                 Cross Site Scripting Vulnerabillity

> Risk:                Low

> Exploitation:     Remote with browser

> Date:               24 Jan 2004

> Author:            Rafel Ivgi, The-Insider

> e-mail:             the_insider_at_mail.com

> web:                http://theinsider.deep-ice.com

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> 1) Introduction

> 2) Bug

> 3) The Code

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> ===============

> 1) Introduction

> ===============

> 

> Apache is the most common unix server in the world. It is strong and safe. Oracle HTTP Server is a modified, custom apache server that was created by apache for oracle.

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> ======

> 2) Bug

> ======

> 

> The Vulnerabillity is Cross Site Scripting. If an attacker will request 

> the

> following

> url from the server: http://<host>/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('X

> SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e

> Or

> http://<host>/isqlplus?action=<script>alert('XSS')</script>

> XSS appears and the server allows an attacker to inject & execute scripts.

> 

> In the words of securityfocus.com :

> ~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> If all of these circumstances are met, an attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client. This will occur because the server will echo back the malicious hostname supplied in the client's request, without sufficiently escaping HTML and script code.

> 

> Attacks of this nature may make it possible for attackers to manipulate 

> web

> content or to

> steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> ===========

> 3) The Code

> ===========

> 

> http://<host>/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('X

> SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e

> http://<host>/isqlplus?action=<script>alert('XSS')</script>

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> ---

> Rafel Ivgi, The-Insider

> http://theinsider.deep-ice.com

> 

> "Things that are unlikeable, are NOT impossible."

> 

> 





Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Wed Jan 28 2004 - 04:55:11 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US