|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 403 CVE : CVE-2006-0435 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : No Credit : David Litchfield Published : 03.02.2006
Advisory Text : According to Oracle, the workaround I posted, that prevents exploitation of a critical vulnerability that Oracle has so far failed to fix, breaks certain applications that sits atop their PLSQL Gateway. Though my workaround prevents exploitation of the critical flaw and thus protects vulnerable systems against attack, Oracle has made no effort to furnish me, or anyone else for that matter, with more information on how the workaround breaks some of their applications. As such, improving the workaround so it doesn't break these few applications has been mildy annoying. But I think I've tracked it down. The workaround as is RewriteEngine on RewriteCond %{QUERY_STRING} ^.*).*|.*%29.*$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack will trigger if a right facing bracket ')' appears in the PATH_INFO or _anywhere_ in the query string. Thus, if the value of a query string parameter contains a bracket the workaround will trigger. As far as the flaw is concerned, we need only concern ourselves with brackets that appear in the query string parameter name - not in the value for the parameter name. As such, if we modify the workaround to RewriteEngine on RewriteCond %{QUERY_STRING} ^.*).*=|.*%29.*=$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack we can prevent exploitation if the query string parameter name has a bracket whilst still allowing brackets it the paramter value. This can be tidied up to read RewriteEngine on RewriteCond %{QUERY_STRING} ).*=|%29.*= RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack RewriteRule )|%29 http://127.0.0.1/denied.htm?attempted-attack # Thanks, Mike Pomraning! For those that haven't been able to adopt the workaround because it would break their specific application, then the modified workaround should work in your situation. Cheers, David Litchfield  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |