A lot of people running Oracle on WINDOWS. They simply do not know about the posibility to compile own httpd with SSL library. JP MacGregor, Ian A. wrote: > How many people actually run the HTTP server which comes with the database? > Isn't that pleading for someone to commit mischief. It was too long ago that > an SSL problem was announced also dealing with the HTTP server. The attack > vector employs iSQL is that only available through the "database" HTTP server > or can it be run via iAS. > > > Ian MacGregor > Stanford Linear Accelerator Center > ian@xxxxxxxxxxxxxxxxx > > > -----Original Message----- > From: Jared.Still@xxxxxxxxxxx [mailto:Jared.Still@xxxxxxxxxxx] > Sent: Tuesday, January 27, 2004 5:26 PM > To: oracle-l@xxxxxxxxxxxxx > Subject: [oracle-l] Oracle HTTP Server Cross Site Scripting Vulnerabillity > > > ----- Forwarded by Jared Still/Radisys_Corporation/US on 01/27/2004 05:25 > PM ----- > > "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx> > 01/24/2004 01:54 AM > Please respond to "Rafel Ivgi, The-Insider" > > > To: "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx> > cc: "securitytracker" <bugs@xxxxxxxxxxxxxxxxxxx> > Subject: Oracle HTTP Server Cross Site Scripting Vulnerabillity > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Software: Oracle HTTP Server Powered by Apache > Vendor: http://www.apache.com > http://www.oracle.com > Versions: Oracle HTTP Server Powered by Apache/1.3.22 (Win32) > mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 > mod_oprocmgr/1.0 mod_perl/1.25 > Platforms: Windows > Bug: Cross Site Scripting Vulnerabillity > Risk: Low > Exploitation: Remote with browser > Date: 24 Jan 2004 > Author: Rafel Ivgi, The-Insider > e-mail: the_insider@xxxxxxxx > web: http://theinsider.deep-ice.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 1) Introduction > 2) Bug > 3) The Code > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > =============== > 1) Introduction > =============== > > Apache is the most common unix server in the world. It is strong and safe. > Oracle HTTP Server is a modified, custom apache server that was created by > apache for oracle. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ====== > 2) Bug > ====== > > The Vulnerabillity is Cross Site Scripting. If an attacker will request > the > following > url from the server: > http://<host>/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('X > SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e > Or > http://<host>/isqlplus?action=<script>alert('XSS')</script> > XSS appears and the server allows an attacker to inject & execute scripts. > > In the words of securityfocus.com : > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > If all of these circumstances are met, an attacker may be able to exploit > this issue via a malicious link containing arbitrary HTML and script code as > part of the hostname. When the malicious link is clicked by an unsuspecting > user, the attacker-supplied HTML and script code will be executed by their > web client. This will occur because the server will echo back the malicious > hostname supplied in the client's request, without sufficiently escaping HTML > and script code. > > Attacks of this nature may make it possible for attackers to manipulate > web > content or to > steal cookie-based authentication credentials. It may be possible to take > arbitrary actions as the victim user. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > =========== > 3) The Code > =========== > > http://<host>/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('X > SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e > http://<host>/isqlplus?action=<script>alert('XSS')</script> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- > Rafel Ivgi, The-Insider > http://theinsider.deep-ice.com > > "Things that are unlikeable, are NOT impossible." > > ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------