Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Speaking engagements tomorrow and in April"] [Next entry: "Oracle is advising customers to patch the last CPU very quickly"]

David Litchfield has released a workaround for an unpatched Oracle security bug

At 6.25pm today David Litchfield has posted a workaround for an un-patched critical flaw in the Oracle PL/SQL gateway. This is a component in iAS, OAS and the Oracle HTTP server. The bug allows an attacker to bypass the PLSQLExclusion list that stops access to critical packages and procedures. The post to the bugtraq mailing list is titled "Workaround for unpatched Oracle PLSQL Gateway flaw" and it gives details of mod_rewrite rules that can be added to the httpd.conf file. mod_rewrite is available on the platforms. The rules check for a trailing right hand bracket which is a signature of the attack.

I was aware of this issue as I had seen the NISCC post previously. Anyone who has the Oracle HTTP server enabled needs to apply this workaound immediatley.