linux, säkerhet

5949573 2001-01-10 14:12 -0600  /36 rader/ Security Alerts Oracle Corporation <secalert_us@ORACLE.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-12  20:49  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: secalert_us@ORACLE.COM
Mottagare: Bugtraq (import) <14776>
Ärende: Patch for Potential Vulnerability in Oracle Internet Application
------------------------------------------------------------
 Server
From: Security Alerts Oracle Corporation <secalert_us@ORACLE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A5CC22D.CDA6AC5@oracle.com>

In recent weeks, a potential vulnerability associated with the
mod_plsql function in Oracle Application Server  (OAS) and Oracle
Internet Application Server (iAS) was reported on Bugtraq.  At that
time Oracle recommended workarounds to the potential vulnerability.
In follow up discussions on Bugtraq, it was suggested that Oracle
should permit customers to disallow outside users from access to all
but specific, known PL/SQL procedures, and that Oracle should
disallow special characters from being passed in procedure names to
mod_plsql.

Oracle has released a patch for Oracle Internet Application Server which
introduces a new configuration parameter in mod_plsql called
exclusion_list.  This parameter can be used to disallow URLs with
specific formats from being passed to mod_plsql; by default it excludes
URLs with special characters such as space, tab, newline, carriage
return, single quote, and backslash.   This patch is available (patch
#1554571) on Oracle's Support Services site
(http://metalink.oracle.com/); it may be found by searching on patches
for Oracle Portal or Oracle9i Application Server Enterprise Edition.

Oracle recommends that this patch be applied to Internet Application
Server version 1.0.2.0.  Internet Application Server version 1.0.2.1,
and future versions, are scheduled to include the patch.

Note also that the Apache listener in Oracle Internet Application Server
already allows customers to define "inclusion-only" rules in the
plsql.conf configuration file.  This can be used to prevent outside user
access to any PL/SQL procedure except those for which outside user
access is explicitly granted in plsql.conf.   As noted in Oracle's
recent posting on Bugtraq, these rules are case sensitive.
(5949573) --------------------------------(Ombruten)