Well, IMHO it does not help that the Oracle installer installs and = starts it without telling you. I guess Uncle Larry has learned a trick = or two from the Gates. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -----Original Message----- From: Jan Pruner [mailto:JPruner@xxxxxxxx] Sent: Wednesday, January 28, 2004 5:55 AM To: oracle-l@xxxxxxxxxxxxx Subject: Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabil lity A lot of people running Oracle on WINDOWS. They simply do not know about the posibility to compile own httpd with=20 SSL library. JP MacGregor, Ian A. wrote: > How many people actually run the HTTP server which comes with the = database? Isn't that pleading for someone to commit mischief. It was = too long ago that an SSL problem was announced also dealing with the = HTTP server. The attack vector employs iSQL is that only available = through the "database" HTTP server or can it be run via iAS. >=20 >=20 > Ian MacGregor > Stanford Linear Accelerator Center > ian@xxxxxxxxxxxxxxxxx >=20 >=20 > -----Original Message----- > From: Jared.Still@xxxxxxxxxxx [mailto:Jared.Still@xxxxxxxxxxx]=20 > Sent: Tuesday, January 27, 2004 5:26 PM > To: oracle-l@xxxxxxxxxxxxx > Subject: [oracle-l] Oracle HTTP Server Cross Site Scripting = Vulnerabillity >=20 >=20 > ----- Forwarded by Jared Still/Radisys_Corporation/US on 01/27/2004 = 05:25=20 > PM ----- >=20 > "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx> > 01/24/2004 01:54 AM > Please respond to "Rafel Ivgi, The-Insider" >=20 > =20 > To: "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx> > cc: "securitytracker" <bugs@xxxxxxxxxxxxxxxxxxx> > Subject: Oracle HTTP Server Cross Site Scripting = Vulnerabillity >=20 >=20 > = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > Software: Oracle HTTP Server Powered by Apache > Vendor: http://www.apache.com > http://www.oracle.com > Versions: Oracle HTTP Server Powered by Apache/1.3.22 (Win32) > mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 = mod_oprocmgr/1.0 mod_perl/1.25 > Platforms: Windows > Bug: Cross Site Scripting Vulnerabillity > Risk: Low > Exploitation: Remote with browser > Date: 24 Jan 2004 > Author: Rafel Ivgi, The-Insider > e-mail: the_insider@xxxxxxxx > web: http://theinsider.deep-ice.com >=20 > = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > 1) Introduction > 2) Bug > 3) The Code >=20 > = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > 1) Introduction > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > Apache is the most common unix server in the world. It is strong and = safe. Oracle HTTP Server is a modified, custom apache server that was = created by apache for oracle. >=20 > = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > =3D=3D=3D=3D=3D=3D > 2) Bug > =3D=3D=3D=3D=3D=3D >=20 > The Vulnerabillity is Cross Site Scripting. If an attacker will = request=20 > the > following > url from the server: = http://<host>/isqlplus?action=3Dlogon&username=3Dsdfds%22%3e%3cscript%3ea= lert('X > = SS')%3c/script%3e\&password=3Ddsfsd%3cscript%3ealert('XSS')%3c/script%3e > Or > http://<host>/isqlplus?action=3D<script>alert('XSS')</script> > XSS appears and the server allows an attacker to inject & execute = scripts. >=20 > In the words of securityfocus.com : > ~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > If all of these circumstances are met, an attacker may be able to = exploit this issue via a malicious link containing arbitrary HTML and = script code as part of the hostname. When the malicious link is clicked = by an unsuspecting user, the attacker-supplied HTML and script code will = be executed by their web client. This will occur because the server will = echo back the malicious hostname supplied in the client's request, = without sufficiently escaping HTML and script code. >=20 > Attacks of this nature may make it possible for attackers to = manipulate=20 > web > content or to > steal cookie-based authentication credentials. It may be possible to = take arbitrary actions as the victim user. >=20 > = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > 3) The Code > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > = http://<host>/isqlplus?action=3Dlogon&username=3Dsdfds%22%3e%3cscript%3ea= lert('X > = SS')%3c/script%3e\&password=3Ddsfsd%3cscript%3ealert('XSS')%3c/script%3e > http://<host>/isqlplus?action=3D<script>alert('XSS')</script> >=20 > = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > --- > Rafel Ivgi, The-Insider > http://theinsider.deep-ice.com >=20 > "Things that are unlikeable, are NOT impossible." >=20 >=20 ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------