BugTraq
Re: Workaround for unpatched Oracle PLSQL Gateway flaw Jan 31 2006 02:17PM
x x com (2 replies)
More on the workaround for the unpatched Oracle PLSQL Gateway flaw Feb 02 2006 06:39PM
David Litchfield (davidl ngssoftware com)
According to Oracle, the workaround I posted, that prevents exploitation of
a critical vulnerability that Oracle has so far failed to fix, breaks
certain applications that sits atop their PLSQL Gateway. Though my
workaround prevents exploitation of the critical flaw and thus protects
vulnerable systems against attack, Oracle has made no effort to furnish me,
or anyone else for that matter, with more information on how the workaround
breaks some of their applications. As such, improving the workaround so it
doesn't break these few applications has been mildy annoying. But I think
I've tracked it down. The workaround as is

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

will trigger if a right facing bracket ')' appears in the PATH_INFO or
_anywhere_ in the query string. Thus, if the value of a query string
parameter contains a bracket the workaround will trigger. As far as the flaw
is concerned, we need only concern ourselves with brackets that appear in
the query string parameter name - not in the value for the parameter name.
As such, if we modify the workaround to

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*=|.*%29.*=$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

we can prevent exploitation if the query string parameter name has a bracket
whilst still allowing brackets it the paramter value. This can be tidied up
to read

RewriteEngine on
RewriteCond %{QUERY_STRING} \).*=|%29.*=
RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack
RewriteRule \)|%29 http://127.0.0.1/denied.htm?attempted-attack

# Thanks, Mike Pomraning!

For those that haven't been able to adopt the workaround because it would
break their specific application, then the modified workaround should work
in your situation.

Cheers,
David Litchfield

[ reply ]
Re: Workaround for unpatched Oracle PLSQL Gateway flaw Feb 01 2006 11:12PM
ad (at) heapoverflow (dot) com [email concealed] (ad heapoverflow com)


 

Privacy Statement
Copyright 2010, SecurityFocus