WebDB on NT -- ridiculous security hole?

From: Jim Mooney <mooneyj_at_mantech-wva.com>
Date: 16 Dec 1999 14:55:48 -0600
Message-ID: <385951d4$1_at_127.0.0.1>

[Quoted] Hello to all -- I am trying this question again after a month or more with no response and also no progress.

Has *anyone* managed to get WebDB (2.1) working on NT 4.0 using IIS 4.0, or any other listener for that matter, in a way which is not *ridiculously* insecure? By this I mean that any web user can see and modify the gateway admin page and gain total access as the WEBDB user.

Oracle acknowledges that the WebDB listener supports minimal security only. Oracle support has told us that the only way to block general access to the gateway page by anyone who knows the URL is to use a better listener such as IIS. Even using IIS, we have yet to find an acceptable way to do this. The solution proposed by Oracle seems to involve moving wdbcgi.exe to the "bin" directory, which would have the minor side effect of making every executable in that directory accessible to the whole Internet world ...

A further problem seems to be that using IIS as the listener causes WebDB to present its own login page (rather than the usual box -- I have no idea why), and *no matter what* input is typed, the page simply reappears. We have heard this is a known bug in wdbcgi.exe. If so, what is the fix? The problem *can* be avoided by storing the userid and password in the DAD via the gateway page. In this case everything works -- but do you wonder why we do not want to do this :-( ?

These questions have been open issues posed to Oracle support weeks ago (we have full support). So far they have been of very little help.

Does anyone have any information on the actual content of wdbcgi.exe, that would allow us to understand this better if not modify it?

Are we missing something obvious, or is it really completely impossible for anyone to have a minimally secure implementation of WebDB on NT? Any help will be appreciated.

Jim Mooney
mooneyj_at_mantech-wva.com

-----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==---------- http://www.newsfeeds.com The Largest Usenet Servers in the World! ------== Over 73,000 Newsgroups - Including Dedicated Binaries Servers ==----- Received on Thu Dec 16 1999 - 21:55:48 CET

This message: [ Message body ]
Next message: Shelly Varghese: "Userenv function"
Previous message: Duncan Mills: "Re: Forms 6.0 userexits error"
Next in thread: jason: "Re: WebDB on NT -- ridiculous security hole?"
Reply: jason: "Re: WebDB on NT -- ridiculous security hole?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message