RE: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabil lity
- From: "Goulet, Dick" <DGoulet@xxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 28 Jan 2004 11:46:14 -0500
Well, IMHO it does not help that the Oracle installer installs and =
starts it without telling you. I guess Uncle Larry has learned a trick =
or two from the Gates.
Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Jan Pruner [mailto:JPruner@xxxxxxxx]
Sent: Wednesday, January 28, 2004 5:55 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting
Vulnerabil lity
A lot of people running Oracle on WINDOWS.
They simply do not know about the posibility to compile own httpd with=20
SSL library.
JP
MacGregor, Ian A. wrote:
> How many people actually run the HTTP server which comes with the =
database? Isn't that pleading for someone to commit mischief. It was =
too long ago that an SSL problem was announced also dealing with the =
HTTP server. The attack vector employs iSQL is that only available =
through the "database" HTTP server or can it be run via iAS.
>=20
>=20
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian@xxxxxxxxxxxxxxxxx
>=20
>=20
> -----Original Message-----
> From: Jared.Still@xxxxxxxxxxx [mailto:Jared.Still@xxxxxxxxxxx]=20
> Sent: Tuesday, January 27, 2004 5:26 PM
> To: oracle-l@xxxxxxxxxxxxx
> Subject: [oracle-l] Oracle HTTP Server Cross Site Scripting =
Vulnerabillity
>=20
>=20
> ----- Forwarded by Jared Still/Radisys_Corporation/US on 01/27/2004 =
05:25=20
> PM -----
>=20
> "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>
> 01/24/2004 01:54 AM
> Please respond to "Rafel Ivgi, The-Insider"
>=20
> =20
> To: "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
> cc: "securitytracker" <bugs@xxxxxxxxxxxxxxxxxxx>
> Subject: Oracle HTTP Server Cross Site Scripting =
Vulnerabillity
>=20
>=20
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> Software: Oracle HTTP Server Powered by Apache
> Vendor: http://www.apache.com
> http://www.oracle.com
> Versions: Oracle HTTP Server Powered by Apache/1.3.22 (Win32)
> mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
> Platforms: Windows
> Bug: Cross Site Scripting Vulnerabillity
> Risk: Low
> Exploitation: Remote with browser
> Date: 24 Jan 2004
> Author: Rafel Ivgi, The-Insider
> e-mail: the_insider@xxxxxxxx
> web: http://theinsider.deep-ice.com
>=20
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> 1) Introduction
> 2) Bug
> 3) The Code
>=20
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 1) Introduction
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Apache is the most common unix server in the world. It is strong and =
safe. Oracle HTTP Server is a modified, custom apache server that was =
created by apache for oracle.
>=20
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> =3D=3D=3D=3D=3D=3D
> 2) Bug
> =3D=3D=3D=3D=3D=3D
>=20
> The Vulnerabillity is Cross Site Scripting. If an attacker will =
request=20
> the
> following
> url from the server: =
http://<host>/isqlplus?action=3Dlogon&username=3Dsdfds%22%3e%3cscript%3ea=
lert('X
> =
SS')%3c/script%3e\&password=3Ddsfsd%3cscript%3ealert('XSS')%3c/script%3e
> Or
> http://<host>/isqlplus?action=3D<script>alert('XSS')</script>
> XSS appears and the server allows an attacker to inject & execute =
scripts.
>=20
> In the words of securityfocus.com :
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> If all of these circumstances are met, an attacker may be able to =
exploit this issue via a malicious link containing arbitrary HTML and =
script code as part of the hostname. When the malicious link is clicked =
by an unsuspecting user, the attacker-supplied HTML and script code will =
be executed by their web client. This will occur because the server will =
echo back the malicious hostname supplied in the client's request, =
without sufficiently escaping HTML and script code.
>=20
> Attacks of this nature may make it possible for attackers to =
manipulate=20
> web
> content or to
> steal cookie-based authentication credentials. It may be possible to =
take arbitrary actions as the victim user.
>=20
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 3) The Code
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> =
http://<host>/isqlplus?action=3Dlogon&username=3Dsdfds%22%3e%3cscript%3ea=
lert('X
> =
SS')%3c/script%3e\&password=3Ddsfsd%3cscript%3ealert('XSS')%3c/script%3e
> http://<host>/isqlplus?action=3D<script>alert('XSS')</script>
>=20
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> ---
> Rafel Ivgi, The-Insider
> http://theinsider.deep-ice.com
>=20
> "Things that are unlikeable, are NOT impossible."
>=20
>=20
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
