Tonight Steve Kost has emailed me to let me know that he has released an analysis of the recent mod_plsql 0-day bug / workaround. His analysis is very thorough and concentrates mostly on Oracle Applications / E-Business Suite. His findings indicate that the proposed work around suggested by David Litchfield is very simplistic and will in fact break most Oracle Applications implementations if it is followed.
Steve's paper is titled "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical". It first gives background to the disclosure and also describes why the bug is critical for E-Business Suite and that 11i is vulnerable. He goes on to say that the workaround will cause problems and is simplistic.
Steve tals about the role of mod_plsql in E-Business Suite and also about the built in validation for access to key packages that works in front of mod_plsql. He goes on to describe the bug as classic SQL Injection and failure to block unauthorised packages. Quite interestingly on page 3 he describes that the bug is more insideous than first described as any PL/SQL could be executed and that it would be executed as APPS who has access to all Oracle Applications data and packages.
He then goes on to describe how easy it would be to create a working exploit as mod_plsql has built in features to enable an exploit to be easily written.
Steve then analyses the NGS workaround in detail. He says that the rewrite rules suggested will break Oracle Applications and says why. He also says that there could be more issues as no placement for the rules is suggested and he goes on to explain why this is an issue. He finally says that the rewrite rules only block GET requests and that POST's can also be used and these will not be processed. Steve then says that the NGS workaround should not be used.
Steve then gives detailed workarounds for a number of different scenarios. This is an important analysis and should be read if you are using the Oracle HTTP server and mod_plsql. It is called "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical" and is well worth reading.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "10.1.0.5 is available"] [Next entry: "Alex has described a new work around for the mod_plsql 0-day bug"]
February 2006
- Stephen Kost (www.integrigy.com) has released an analysis of the mod_plsql 0-day bug / workaround - 02/01/2006 by 02/01/2006
- patch set 10.1.0.5 does not include latest security fixes! - 02/02/2006 by 02/02/2006
- Oracle have released a FAQ to counter the mod_plsql 0-day bug - 02/05/2006 by 02/05/2006
- Inside Oracle's Patch Kimono - 02/06/2006 by 02/06/2006
- Nice thoughts on Oracle internal people finding security bugs - 02/07/2006 by 02/07/2006
- Looks like Oracle will have its own blog aggregator and home - 02/08/2006 by 02/08/2006
- Good paper on password policies - 02/09/2006 by 02/09/2006
- SourceLabs puts its SASH around Oracle - 02/11/2006 by 02/11/2006
- Oracle Starts Melding Security, ID Management Offerings - 02/12/2006 by 02/12/2006
- Inside job - 02/13/2006 by 02/13/2006
- New Oracle blogs aggregator - 02/16/2006 by 02/16/2006
- OASIS stamps approval on WS-Security 1.1 - 02/19/2006 by 02/19/2006
- Security's Heaviest Hitters - 02/21/2006 by 02/21/2006
- Sun's McNealy: Open Source Key To Security - 02/23/2006 by 02/23/2006
- Oracle Integrating Identity Wares - 02/26/2006 by 02/26/2006
- Oracle releases an out of step security patch for E-Business Suite - 02/27/2006 by 02/27/2006
- Oracle publishes out-of-cycle security fix - 02/28/2006 by 02/28/2006
Archives
Syndication
Powered by gm-rss 2.0.0
