Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "License plate SQL Injection"] [Next entry: "License Plate scanners and SQL Injection"]

Oracle Application Server 10g ORA_DAV basic authentication bypass

I would recommend anyone that is interested in securing their Oracle database to subscribe to some of the major security lists such as the bugtraq list at - (broken link) or the full disclosure list. There are plent more besides these, but these are the major ones.

Why subscribe? - well its important for two reasons (BTW, I am not suggesting in any way that you should read every post - well unless you want to); the first is that these lists get Oracle vulnerabilities listed on a reasonably regular basis. Its worth understanding the sorts of bugs, vulnerabilities and exploits that are out there. The proliferation of lists like these and also of exploit sites like Milw0rm that can be searched for exploits by vendor and type means that many other people who want to steal from you also look at these sites and download exploits and other details. In order to secure an Oracle database you have to understand the types of attack that can occur against it. The second reason is more general, in that these lists contain a huge array of all types of exploits and bugs, not just for Oracle. In general you should understand all sorts of different types of attacks against Oracle. If we went back a few years and looked at bugtraq for instance "in general" and took differnt types of attack against other software we will be able to find attack types that are now found against Oracle. Keep up to date with security in general and apply that knowledge to securing Oracle.

If you are a DBA then subscribe, surf some posts and learn at a high level what the current issues are. It needn't take a huge amount of time, obviously this depends on what and how much you read.

As an example a couple of days ago Deniz Cevik posted an authentication bypass for Oracle Application server in a post titled "Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability".

A sample request is shown as:

Make a special http request first by visiting
"http:/site/pls/portal/%0A" url.

This request adds special session id into cookie. Subsequent connection attempts to
"http://site/dav_portal/portal/" will reveal the contents of directory
without any authentication.