How to Stop / shutdown iSQL*Plus

This short article shows how you can disable / shutdown / stop iSQL*Plus in Oracle. This web based version of SQL*Plus has been available since version 8iR3 (8.1.7) and is a useful tool but there are a few known security issues with its use in a production environment. Because it uses internet techniques to access the database you should be carful with its use. The SANS step-by-step guide has some details on securing iSQL*plus. These are also covered in the SANS S.C.O.R.E document and the CISecurity Oracle benchmark - both are based on the SANS step-by-step and can be found here

For instance just in Feb 2004 a new CSS exploit has been made public on the Oracle security alerts website using this tool as the example.

Here is how to disable iSQL*Plus:

on Windows you will find the file %ORACLE_HOME%\Apache\Apache\conf\oracle_apache.conf and then comment out the following line:

		#
		#include "C:\oracle\ora90\sqlplus\admin\isqlplus.conf"
		#

Save the file and then restart Apache and iSQL*Plus will no longer work. This can be done from =>

Start -> Settings -> Control Panel -> Administrative Tools -> Services and then locate the Oracle HTTP server - for instance on my Oracle 9iR2 Personal Oracle its called "OracleOraHome90HTTPServer"

On Unix the file name is the same and in the same location but use $ORACLE_HOME instead of %ORACLE_HOME%. Also to restart apache on Unix use the apachectl script with start and stop commands.

Finally you can test if iSQL*Plus is indeed disabled by going to http://:7778/isqlplus in your favourite browser.

Back