thanks Edger for Doc ....One of my cleint usualy travelled a lot(from = one country to another) with his Laptop and there some sensitive = information on his laptop and and connected through Dialup ...he is = using FOUND SCAN TOOL and he getting this report shown below .=20 *********************************Report**********************************= ************************************ BRIZKN | 165.197.20.181 =20 Apache mod_ssl Off-By-One HTAccess Buffer Overflow =20 Description: =20 A buffer overflow vulnerability in the mod_SSL module for the Apache Web = server allows remote attackers to execute arbitrary commands on targeted = hosts. =20 Response from System: =20 =20 Script Output: http/1.1 200 ok date: wed, 16 jun 2004 07:24:17 gmt server: oracle http server powered by apache/1.3.22 (win32) = mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 last-modified: tue, 20 aug 2002 21:41:18 gmt etag: "0-89a-3d62b77e" accept-ranges: bytes content-length: 2202 connection: close content-type: text/html <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head> <meta http-equiv=3D"content-type" content=3D"text/html; ch =20 Recommendation: =20 Install the latest version of mod_ssl, available from: http://www.modssl.org/=20 Common Vulnerabilities & Exposures (CVE) Link:=20 CVE-2002-0653 =20 Oracle soaprouter accessible =20 Description: =20 A configuration vulnerability in the Oracle Application Server allows = remote attackers to perform administrative actions on the targeted = server. =20 Recommendation: =20 Disable SOAP on the host by commenting-out the following lines from the = '$ORACLE_HOME/Apache/Jserv/etc/jserv.conf' file: ApJServGroup group2 1 1 $ORACLE_HOME/Apache/Jserv/etc/jservSoap.properties ApJServMount /soap/servlet ajpv12://localhost:8200/soap ApJServMount /dms2 ajpv12://localhost:8200/soap ApJServGroupMount /soap/servlet balance://group2/soap =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CVE-2001-1371 =20 Oracle 9i Database Server iSQL Plus USERID Buffer Overflow =20 Description: =20 A remotely exploitable buffer overflow condition is present the = authentication process of Oracle iSQL*Plus. =20 Response from System: =20 =20 Script Output: Request: /isqlplus Response: ed. --> <meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dwindows-1252"> <title>isql*plus release 9.2.0.1.0 production: login</title> <link rel=3D"stylesheet" href=3D"/iplus/iplus.css" type=3D"tex =20 Recommendation: =20 Restrict access to the Oracle iSQL*Plus web site via IP address = restrictions and install the Oracle patch. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2002-1264 =20 Apache mod_ssl Trusted Certificate Authority Buffer Overflow =20 Description: =20 A buffer overflow vulnerability in i2d_SSL_SESSION function in = Apache-SSL and mod_ssl allows remote attackers to execute arbitrary code = on targeted hosts. =20 Response from System: =20 =20 Script Output: http/1.1 200 ok date: wed, 16 jun 2004 07:14:04 gmt server: oracle http server powered by apache/1.3.22 (win32) = mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 last-modified: tue, 20 aug 2002 21:41:18 =20 Recommendation: =20 Update to the latest version of mod_ssl and Apache HTTP Server: http://httpd.apache.org/download.cgi http://www.modssl.org/=20 Common Vulnerabilities & Exposures (CVE) Link:=20 CVE-2002-0082 =20 Oracle TNS Listener Unauthorized Access =20 Description: =20 A Oracle TNS Listener has been detected on the host. =20 Recommendation: =20 It is recommended to only allow certain IP's or subnet ranges to access = the TNS listener. This can be done by adding a rule in the firewall. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CVE-2002-0567 =20 Apache Escape Characters Vulnerability =20 Description: =20 A problem exists in Apache's handling of escape characters in access = logs. =20 Response from System: =20 =20 Script Output: http/1.1 200 ok date: wed, 16 jun 2004 07:07:25 gmt server: oracle http server powered by apache/1.3.22 (win32) = mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 last-modified: tue, 20 aug 2002 21:41:18 =20 Recommendation: =20 Update to the latest Apache: http://httpd.apache.org/download.cgi =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2003-0083 =20 Oracle 9i Application/Database Server SOAP DTD Vulnerability =20 Description: =20 Oracle9i Application and Database server contain a vulnerability in the = processing of SOAP (Simple Object Access Protocol) messages whose XML = contains carefully constructed Data Type Definitions (DTDs). =20 Recommendation: =20 Workarounds: If SOAP is protected by client authentication before the processing of = SOAP XML data structures, unauthenticated clients do not pose a threat; = for example, SSL sessions protected by Client X.509 certificates are = protected against unauthenticated clients. For those sites that do not use SOAP, disabling SOAP is a workaround. = Disable SOAP by removing or renaming the following SOAP library, which = is delivered in the following JAR file: [Oracle Home]/soap/lib/soap.jar Removing or renaming this library will remove access to SOAP, including = support for Web services functionality. Patch Availability: Please see Metalink Document ID 259556.1: http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_da= tabase_id=3DNOT&p_id=3D259556.1 =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 OpenSSL ASN.1 Parsing Recursion Denial-of-Service =20 Description: =20 A denial-of-service vulnerability in OpenSSL allows remote attackers to = stop a targeted Web server from responding. =20 Response from System: =20 Script Output: http/1.1 200 ok date: wed, 16 jun 2004 07:24:40 gmt server: oracle http server powered by apache/1.3.22 (win32) = mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 last-modified: tue, 20 aug 2002 21:41:18 gmt etag: "0-89a-3d62b77e" accept-ranges: bytes content-length: 2202 connection: close content-type: text/html <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head> <meta http-equiv=3D"content-type" content=3D"text/html; ch =20 Recommendation: =20 Update to OpenSSL 0.9.7c or 0.9.6l and later: http://www.openssl.org/ SGI has released the following patches: ftp://patches.sgi.com/support/free/security/patches/6.5.19/patch5362.tar ftp://patches.sgi.com/support/free/security/patches/6.5.20/patch5405.tar ftp://patches.sgi.com/support/free/security/patches/6.5.21/patch5363.tar Cisco patches are available to registered users from: http://www.cisco.com/tacpage/sw-center/ =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2003-0851 =20 Oracle9iAS Web Server Dynamic Monitoring Services access. =20 Description: =20 An unauthorized access to Dynamic Monitoring Services vulnerability = exists within Oracle9iAS Web Server which discloses sensitive = information to an attacker. =20 Recommendation: =20 Currently no vendor-supplied patches are available for this issue. Workaround: Restricting access to the Dynamic Monitoring Services. 1. From your ~/$ORACLE_HOME$/apache/apache/conf directory, open and = modify your web server's configuration file (httpd.conf). 2. Restrict access to the following files: /dms0 /servlet/DMSDump /dms/DMSDump /servlet/Spy /soap/servlet/Spy /dms/AggreSpy =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2002-0563 =20 Apache Log Files Escape Sequences =20 Description: =20 A vulnerability in the Apache HTTP Server allows remote attackers to = cause the targeted server to process escape sequences. =20 Recommendation: =20 Update to the latest version of the Apache HTTP server: http://httpd.apache.org/ =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2003-0020 =20 Oracle9iAS unauthorized Java Process Manager access. =20 Description: =20 An unauthorized access to the Java Process Manager vulnerability exists = within Oracle9iAS Web Server which discloses sensitive information to an = attacker. =20 Recommendation: =20 Restricting access to the /oprocmgr-status page. 1. From your ~/$ORACLE_HOME$/apache/apache/conf directory, open and = modify your web server's configuration file (httpd.conf) to prevent = access to the /oprocmgr-status page. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 Oracle9iAS Jserv non-existent file request cross site scripting =20 Description: =20 A cross site scripting vulnerability in Oracle9iAS allows attackers to = execute arbitrary client side scripting code. =20 Recommendation: =20 Oracle has released a patch for this vulnerability. This patch is available (patch #1554571) on Oracle's Support Services = site: http://metalink.oracle.com To download the patch, register and login to the Oracle Metalink site if = not already done so. Then simply download the patch to a temp directory, = and run the patch from there. The patch will have instructions on what = to do next. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 Oracle sqldemos CSS and database access =20 Description: =20 Vulnerabilities in various demo applets and scripts included with Oracle = allow remote attackers to conduct cross-site scripting attacks, access = databases, and perform other actions on the targeted system. =20 Recommendation: =20 Remove demo scripts from servers in a production environment. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 Oracle9iAS Sample Scripts Information Disclosure =20 Description: =20 An information disclosure vulnerability exists within Oracle9i Web = Server which allows an attacker to gather sensitive information about = the system. =20 Recommendation: =20 Oracle has released a patch for this vulnerability. To download the = patch, you must have a membership account with Oracle Support. If you do = not have one, follow the link below: http://otn.oracle.com/admin/account/membership.html If you currently have a support membership, download the patch listed = below. OJSP 1.1.2.0.0, which can be obtained here: http://otn.oracle.com/software/tech/java/servlets/content.html=20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 Oracle9i HTTP Server JSP Path Disclosure =20 Description: =20 A path disclosure vulnerability exists within some versions of Oracle = HTTP server that allows for an attacker to obtain filesystem = information. Recommendation: =20 Oracle has also provided the following workaround: Ensure that the virtual path in a URL is different from the actual = directory path when using Oracle Apache JServ. Also, do not use the = (servletzonepath) directory in 'ApJServMount (servletzonepath) = (servletzone)' to store data or files. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CVE-2001-1372 =20 TRACE HTTP method enabled =20 Description: =20 An information disclosure vulnerability in various Web servers allows = attackers to retrieve cookies or other sensitive data from Web client = browsers. =20 Response from System: =20 =20 Script Output: Request: TRACE / HTTP/1.1 Host: 2781156533 Cookie: Foundscan=3Dsample-cookie-would-be-here Script: <script>alert('GOTCHA')</script> Response: HTTP/1.1 200 OK Date: Wed, 16 Jun 2004 07:18:53 GMT Server: Oracle HTTP Server Powered by Apache/1.3.22 (Win32) = mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 Transfer-Encoding: chunked Content-Type: message/http 7f TRACE / HTTP/1.1 Cookie: Foundscan=3Dsample-cookie-would-be-here Host: 2781156533 Script: <script>alert('GOTCHA')</script> 0 =20 Recommendation: =20 Update your software to the latest version and disable support for the = HTTP TRACE command. Microsoft IIS - Use the Microsoft URLScan tool to deny HTTP TRACE = requests URLScan Tool: http://www.microsoft.com/technet/security/tools/urlscan.asp Apache Software Foundation - Use the ReWrite MOD for Apache to deny HTTP = TRACE mod_rewrite: http://httpd.apache.org/docs/mod/mod_rewrite.html Sun Microsystems - Sun Alert ID: 50603: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=3Dfsalert/50603 =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 Oracle9iAS soapConfig.xml SOAP Configuration Disclosure =20 Description: =20 A configuration file disclosure vulnerability exists within Oracle9iAS = which allows an attacker to access sensitive information. =20 Recommendation: =20 Currently no vendor-supplied patches are available for this issue. Workaround: Restrict access to 'soapConfig.xml' in httpd.conf. By default, this file is named soapConfig.xml and is placed in the = directory $SOAP_HOME/webapps/soap/WEB-INF/config on UNIX or = %SOAP_HOMEwebappssoapWEB-INFconfig on Windows NT. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2002-0568 =20 Apache rotatelogs Denial of Service =20 Description: =20 A vulnerability in the rotatelogs program for the Apache HTTP Server = allows remote attackers to stop targeted hosts from logging actions. = =20 Response from System: =20 =20 Script Output: http/1.1 200 ok date: wed, 16 jun 2004 07:37:33 gmt server: oracle http server powered by apache/1.3.22 (win32) = mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 last-modified: tue, 20 aug 2002 21:41:18 =20 Recommendation: =20 Update to Apache 1.3.28 or later: http://httpd.apache.org/ =20 Common Vulnerabilities & Exposures (CVE) Link:=20 CAN-2003-0460 =20 FastCGI echo2.exe Cross-site Scripting =20 Description: =20 A cross-site scripting vulnerability in FastCGI echo2.exe CGI script = allows remote attackers to submit requests containing potentially = malicious html or scripts to the Web server. =20 Recommendation: =20 Foundstone recommends that you remove the FastCGI sample scripts, = including echo2.exe, from any server in a production environment. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 Web Server Supports Weak SSL Encryption Certificates =20 Description: =20 The host uses weak cipher keys when communicating using the SSL = protocol. =20 Recommendation: =20 Enforce the use of 128-bit SSL keys. This may not be possible in all = situations because keys distributed by some vendors use 40 bits. This = includes certificates from organizations such as Verisign. When = configuring communications using SSL, use the highest key strength = possible. =20 Common Vulnerabilities & Exposures (CVE) Link:=20 None =20 ***************************************************end of = report****************************************** thanks=20 Abhishek -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Edgar Chupit Sent: Wednesday, June 30, 2004 12:26 PM To: Abhishek Saxena Subject: Re: Security Issue with Oracle 9i R2 Databse Hello Abhishek, AS> 1. Due to some Security concern what is this concern? can you, please, be more specific. AS> how can i diable Jserver Option in Oracle Database 9i R2 ... Please see Note:209870.1 titled "How to Reload the JVM in 9.2.0.X". For other security related problems, you may wish to wish to visit Pete Finnigan's site http://www.petefinnigan.com/ it is full of different security related information. --=20 Best regards, Edgar ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------