BugTraq
Re: Workaround for unpatched Oracle PLSQL Gateway flaw Feb 08 2006 05:48PM
a b com (1 replies)
Re: Workaround for unpatched Oracle PLSQL Gateway flaw Feb 08 2006 07:48PM
David Litchfield (davidl ngssoftware com)
> So, like, what about
> http://www.integrigy.com/info/IntegrigySecurityAnalysis-MODPLSQLVuln.pdf

This provides an excellent analysis of the problem. Further, it discusses
the recommendation made by Vladimir Zakharychev from Webrecruiter. This
recommendation is to set the "always_describe" /
"PlsqlAlwaysDescribeProcedure" to "yes" / "on" in the "wdbsvr.app" /
"dads.conf" file. This is a simple workaround and, as I can confirm, it does
prevent exploitation. Why on earth didn't Oracle make this simple
recommendation in the January 2006 CPU?

I hereby withdraw my workaround and would encourage everyone to adopt
Vladimir's.

Cheers,
David Litchfield

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus