Oracle Web Listener URL Character Substitution Vulnerability

Oracle Web Listener URL Character Substitution Vulnerability

Oracle's Web Listener, a combination webserver and web-database interface, has been shown to have a weakness whereby unauthorized users can gain access to restricted queries.

If a character in a URL is replaced with it's HTTP-escaped equivalent, the Web Listener will grant access without requiring authentication.

If an attacker requests (for example)
http: //target.host/ows/restricted.show
the Web Listener will request a userid and password.
However, if the attacker requests:
http: //target.host/ows/restricted%2eshow
the Web Listener will perform the action and display the results.