SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

More on the workaround for the unpatched Oracle PLSQL Gateway flaw


Arrow  SecurityAlert : 403
Arrow  CVE : CVE-2006-0435
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : No
Arrow  Credit : David Litchfield
Arrow  Published : 03.02.2006

Arrow  Affected Software : Oracle PLSQL Gateway



Arrow  Advisory Content :  

According to Oracle, the workaround I posted, that prevents exploitation of

a critical vulnerability that Oracle has so far failed to fix, breaks
certain applications that sits atop their PLSQL Gateway. Though my
workaround prevents exploitation of the critical flaw and thus protects
vulnerable systems against attack, Oracle has made no effort to furnish me,

or anyone else for that matter, with more information on how the workaround

breaks some of their applications. As such, improving the workaround so it
doesn't break these few applications has been mildy annoying. But I think
I've tracked it down. The workaround as is

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

will trigger if a right facing bracket ')' appears in the PATH_INFO or
_anywhere_ in the query string. Thus, if the value of a query string
parameter contains a bracket the workaround will trigger. As far as the
flaw
is concerned, we need only concern ourselves with brackets that appear in
the query string parameter name - not in the value for the parameter name.
As such, if we modify the workaround to

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*).*=|.*%29.*=$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

we can prevent exploitation if the query string parameter name has a
bracket
whilst still allowing brackets it the paramter value. This can be tidied up

to read

RewriteEngine on
RewriteCond %{QUERY_STRING} ).*=|%29.*=
RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack
RewriteRule )|%29 http://127.0.0.1/denied.htm?attempted-attack

# Thanks, Mike Pomraning!

For those that haven't been able to adopt the workaround because it would
break their specific application, then the modified workaround should work
in your situation.

Cheers,
David Litchfield




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.