Date: Wed, 10 Jan 2001 14:12:29 -0600
From: Security Alerts Oracle Corporation
To: [email protected]
Subject: Patch for Potential Vulnerability in Oracle Internet Application
               Server

Oracle has released a patch for Oracle Internet Application Server which introduces a new configuration parameter in mod_plsql called exclusion_list. This parameter can be used to disallow URLs with specific formats from being passed to mod_plsql; by default it excludes URLs with special characters such as space, tab, newline, carriage return, single quote, and backslash. This patch is available (patch #1554571) on Oracle's Support Services site (http://metalink.oracle.com/); it may be found by searching on patches for Oracle Portal or Oracle9i Application Server Enterprise Edition.

Oracle recommends that this patch be applied to Internet Application Server version 1.0.2.0. Internet Application Server version 1.0.2.1, and future versions, are scheduled to include the patch.

Note also that the Apache listener in Oracle Internet Application Server already allows customers to define "inclusion-only" rules in the plsql.conf configuration file. This can be used to prevent outside user access to any PL/SQL procedure except those for which outside user access is explicitly granted in plsql.conf. As noted in Oracle's recent posting on Bugtraq, these rules are case sensitive.

Related Stories:
PHP Tutorial: Using ADODB to port your MySQL code (Dec 17, 2000)
OpenACS available on Apache(Dec 11, 2000)
PHPBuilder: Open Source Databases: As The Tables Turn(Nov 23, 2000)
The Perl You Need to Know: Personalization Methods Part 2(Oct 27, 2000)
Oracle Introduces Oracle 9i Application Server(Oct 02, 2000)
LinuxProgramming: Oracle Shows Microsoft How a 600-pound Gorilla Ought to Behave(Aug 10, 2000)
PHP on Apache: The Definitive Installation Guide(Aug 09, 2000)
PRN: Oracle Releases Oracle Internet Application Server 8i(Jun 28, 2000)