Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: oracle11.htm

Oracle Web Listener - access disallowed resources



    Oracle Web Listener


    Mnemonix (David Litchfield) found  following.  There is  a problem
    (seems to be a bug) with Oracle Web Listener where a resource  can
    be accessed when  is shouldn't be  able to be  accessed.  Consider
    the following setup.  Access to:


    IS allowed.   However access to  the owa_util package  in the same
    dir is not allowed so requesting:


    causes the Oracle Web Listener to throw back an HTTP 401  response
    ie. it  requires a  user id  and password.   However by  making  a
    request and substituting the _ with %5f, eg.


    we're granted access.  Or using %2e instead of the dot, eg.


    does  the  same:  we're  given  access,  then  too.  On sites that
    protect access to owa_util using this method will be at great risk
    from  queries   using  showsource,   cellsprint,  tableprint   and

    Version  Oracle_Web_listener2.1/1.20in2  on  Solaris  was  tested.
    More recent and earlier versions  may also be affected but  that's
    not known yet.


    Steve Posick addressed this problem by creating 2 accounts  1 that
    owns the procedures to be executed (www_user) and 1 that is called
    by  the  listener  (www_connect).   www_connect  is  only  granted
    execute rights on the procedure and packages it needs to  execute.
    Since Oracle Stored  procedure execute as  their owner, they  will
    be  able  to  access  all  the  resources  they need and while the
    www_connect account will  be limited to  only what was  explicitly
    granted to it.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH