Patch for Oracle introduces a new configuration parameter in mod_plsql
Date: Wed, 10 Jan 2001 14:12:29 -0600 From: Security Alerts Oracle Corporation To: BUGTRAQ@SECURITYFOCUS.COM Subject: Patch for Potential Vulnerability in Oracle Internet Application ServerIn recent weeks, a potential vulnerability associated with the mod_plsql function in Oracle Application Server (OAS) and Oracle Internet Application Server (iAS) was reported on Bugtraq. At that time Oracle recommended workarounds to the potential vulnerability. In follow up discussions on Bugtraq, it was suggested that Oracle should permit customers to disallow outside users from access to all but specific, known PL/SQL procedures, and that Oracle should disallow special characters from being passed in procedure names to mod_plsql. Oracle has released a patch for Oracle Internet Application Server which introduces a new configuration parameter in mod_plsql called exclusion_list.
Oracle has released a patch for Oracle Internet Application Server which introduces a new configuration parameter in mod_plsql called exclusion_list. This parameter can be used to disallow URLs with specific formats from being passed to mod_plsql; by default it excludes URLs with special characters such as space, tab, newline, carriage return, single quote, and backslash. This patch is available (patch #1554571) on Oracle's Support Services site (http://metalink.oracle.com/); it may be found by searching on patches for Oracle Portal or Oracle9i Application Server Enterprise Edition.
Oracle recommends that this patch be applied to Internet Application Server version 184.108.40.206. Internet Application Server version 220.127.116.11, and future versions, are scheduled to include the patch.
Note also that the Apache listener in Oracle Internet Application Server already allows customers to define "inclusion-only" rules in the plsql.conf configuration file. This can be used to prevent outside user access to any PL/SQL procedure except those for which outside user access is explicitly granted in plsql.conf. As noted in Oracle's recent posting on Bugtraq, these rules are case sensitive.