Apache Today [Your Apache News Source]
Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Patch for Oracle introduces a new configuration parameter in mod_plsql
(Jan 12th, 19:15:13 )

Date: Wed, 10 Jan 2001 14:12:29 -0600
From: Security Alerts Oracle Corporation
To: [email protected]
Subject: Patch for Potential Vulnerability in Oracle Internet Application
               Server
In recent weeks, a potential vulnerability associated with the mod_plsql function in Oracle Application Server (OAS) and Oracle Internet Application Server (iAS) was reported on Bugtraq. At that time Oracle recommended workarounds to the potential vulnerability. In follow up discussions on Bugtraq, it was suggested that Oracle should permit customers to disallow outside users from access to all but specific, known PL/SQL procedures, and that Oracle should disallow special characters from being passed in procedure names to mod_plsql.

Oracle has released a patch for Oracle Internet Application Server which introduces a new configuration parameter in mod_plsql called exclusion_list. This parameter can be used to disallow URLs with specific formats from being passed to mod_plsql; by default it excludes URLs with special characters such as space, tab, newline, carriage return, single quote, and backslash. This patch is available (patch #1554571) on Oracle's Support Services site (http://metalink.oracle.com/); it may be found by searching on patches for Oracle Portal or Oracle9i Application Server Enterprise Edition.

Oracle recommends that this patch be applied to Internet Application Server version 1.0.2.0. Internet Application Server version 1.0.2.1, and future versions, are scheduled to include the patch.

Note also that the Apache listener in Oracle Internet Application Server already allows customers to define "inclusion-only" rules in the plsql.conf configuration file. This can be used to prevent outside user access to any PL/SQL procedure except those for which outside user access is explicitly granted in plsql.conf. As noted in Oracle's recent posting on Bugtraq, these rules are case sensitive.

Related Stories:
PHP Tutorial: Using ADODB to port your MySQL code (Dec 17, 2000)
OpenACS available on Apache(Dec 11, 2000)
PHPBuilder: Open Source Databases: As The Tables Turn(Nov 23, 2000)
The Perl You Need to Know: Personalization Methods Part 2(Oct 27, 2000)
Oracle Introduces Oracle 9i Application Server(Oct 02, 2000)
LinuxProgramming: Oracle Shows Microsoft How a 600-pound Gorilla Ought to Behave(Aug 10, 2000)
PHP on Apache: The Definitive Installation Guide(Aug 09, 2000)
PRN: Oracle Releases Oracle Internet Application Server 8i(Jun 28, 2000)


Printed from Apache Today (https://apachetoday.com).
https://apachetoday.com/news_story.php3?ltsn=2001-01-12-002-06-NW-DT-DB

About Triggers Newsletters Media Kit Security Triggers Login


internet.com
Privacy Policy
All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.2.12, Apache 1.3.9. and PHP 3.14
© Copyright 2000, internet.com Corp. All Rights Reserved.Legal Notices.