Steve's paper is titled "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical". It first gives background to the disclosure and also describes why the bug is critical for E-Business Suite and that 11i is vulnerable. He goes on to say that the workaround will cause problems and is simplistic.
Steve tals about the role of mod_plsql in E-Business Suite and also about the built in validation for access to key packages that works in front of mod_plsql. He goes on to describe the bug as classic SQL Injection and failure to block unauthorised packages. Quite interestingly on page 3 he describes that the bug is more insideous than first described as any PL/SQL could be executed and that it would be executed as APPS who has access to all Oracle Applications data and packages.
He then goes on to describe how easy it would be to create a working exploit as mod_plsql has built in features to enable an exploit to be easily written.
Steve then analyses the NGS workaround in detail. He says that the rewrite rules suggested will break Oracle Applications and says why. He also says that there could be more issues as no placement for the rules is suggested and he goes on to explain why this is an issue. He finally says that the rewrite rules only block GET requests and that POST's can also be used and these will not be processed. Steve then says that the NGS workaround should not be used.
Steve then gives detailed workarounds for a number of different scenarios. This is an important analysis and should be read if you are using the Oracle HTTP server and mod_plsql. It is called "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical" and is well worth reading.