Pete Finnigan's Oracle Security Weblog

I just saw on Alex's site this evening that he has written and released three new Oracle security advisories today (26-Apr-2005). These are as follows:

"Webcache Client Requests bypasses OHS mod_access Restrictions" - This bug advises that it is possible to access protected URL's by using webcache. There is a workaround to add "UseWebCacheIP ON" to the httpd.conf file. Alex also informs us that Oracle fixed the issue by adding the UseWebcacheIP parameter to the Oracle HTTP Server but more importantly there was no advisory released by Oracle to tell customers of the fix. It is not clear which version / patch fixed the issue.

"Append file vulnerability in Oracle Webcache 9i" - Alex advises us that it is possible to corrupt any Oracle Application Server installation file by adding garbage to the file such as httpd.conf. Alex provides an example URL. Again Alex tells us that this issue was fixed by Oracle (no version / patch information as to when it was fixed) without informing him or its customers.

"Cross Site Scripting in Oracle Webcache 9i" - Alex tells us that there are many parameters that are vulnerable to XSS/CSS attacks and by combining with the previous bug it is possible to corrupt any Oracle Application Server installation. Alex gives us three example URL's that could be used. Again Oracle have fixed the issue, no version/patch indication is given and again Alex says he was not informed and neither were customers.

Anyone using Oracle's application server and webcache in particular should make themselves aware of these issues.