Oracle 9iAS OWA_UTIL Stored Procedures Information Disclosure

medium Nessus Plugin ID 11225

Synopsis

Sensitive data may be accessed on the remote host.

Description

Oracle 9iAS can provide access to the PL/SQL application OWA_UTIL that provides web access to some stored procedures. These procedures, without authentication, can allow users to access sensitive information such as source code of applications, user credentials to other database servers and run arbitrary SQL queries on servers accessed by the application server.

Solution

Apply the appropriate patch listed in Oracle's advisory, which details how you can restrict unauthenticated access to procedures using the exclusion_list parameter in the PL/SQL gateway configuration file '/Apache/modplsql/cfg/wdbsvr.app'.

See Also

http://www.nessus.org/u?6d8e79aa

http://www.nessus.org/u?97653726

Plugin Details

Severity: Medium

ID: 11225

File Name: oracle9i_owautil.nasl

Version: 1.30

Type: remote

Family: Databases

Published: 2/11/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:application_server, cpe:/a:oracle:application_server_web_cache

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 2/6/2002

Reference Information

CVE: CVE-2002-0560

BID: 4294

CERT: 307835

CERT-CC: CA-2002-08