Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityAlert

  Topic : More on the workaround for the unpatched Oracle PLSQL Gateway flaw
  SecurityAlert : 403
  CVE : CVE-2006-0435
  SecurityRisk : Medium  alert  (About)
  Remote Exploit : Yes
  Local Exploit : Yes
  Exploit Given : No
  Credit : David Litchfield
  Published : 03.02.2006

  Affected Software : Oracle PLSQL Gateway



  Advisory Text :  

According to Oracle, the workaround I posted, that prevents exploitation of

a critical vulnerability that Oracle has so far failed to fix, breaks
certain applications that sits atop their PLSQL Gateway. Though my
workaround prevents exploitation of the critical flaw and thus protects
vulnerable systems against attack, Oracle has made no effort to furnish me,

or anyone else for that matter, with more information on how the workaround

breaks some of their applications. As such, improving the workaround so it
doesn't break these few applications has been mildy annoying. But I think
I've tracked it down. The workaround as is

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

will trigger if a right facing bracket ')' appears in the PATH_INFO or
_anywhere_ in the query string. Thus, if the value of a query string
parameter contains a bracket the workaround will trigger. As far as the
flaw
is concerned, we need only concern ourselves with brackets that appear in
the query string parameter name - not in the value for the parameter name.
As such, if we modify the workaround to

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*).*=|.*%29.*=$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

we can prevent exploitation if the query string parameter name has a
bracket
whilst still allowing brackets it the paramter value. This can be tidied up

to read

RewriteEngine on
RewriteCond %{QUERY_STRING} ).*=|%29.*=
RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack
RewriteRule )|%29 http://127.0.0.1/denied.htm?attempted-attack

# Thanks, Mike Pomraning!

For those that haven't been able to adopt the workaround because it would
break their specific application, then the modified workaround should work
in your situation.

Cheers,
David Litchfield



  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass
Copyright © SecurityReason. All Rights Reserved.