Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "10.1.0.5 is available"] [Next entry: "Alex has described a new work around for the mod_plsql 0-day bug"]

Stephen Kost (www.integrigy.com) has released an analysis of the mod_plsql 0-day bug / workaround



Tonight Steve Kost has emailed me to let me know that he has released an analysis of the recent mod_plsql 0-day bug / workaround. His analysis is very thorough and concentrates mostly on Oracle Applications / E-Business Suite. His findings indicate that the proposed work around suggested by David Litchfield is very simplistic and will in fact break most Oracle Applications implementations if it is followed.

Steve's paper is titled "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical". It first gives background to the disclosure and also describes why the bug is critical for E-Business Suite and that 11i is vulnerable. He goes on to say that the workaround will cause problems and is simplistic.

Steve tals about the role of mod_plsql in E-Business Suite and also about the built in validation for access to key packages that works in front of mod_plsql. He goes on to describe the bug as classic SQL Injection and failure to block unauthorised packages. Quite interestingly on page 3 he describes that the bug is more insideous than first described as any PL/SQL could be executed and that it would be executed as APPS who has access to all Oracle Applications data and packages.

He then goes on to describe how easy it would be to create a working exploit as mod_plsql has built in features to enable an exploit to be easily written.

Steve then analyses the NGS workaround in detail. He says that the rewrite rules suggested will break Oracle Applications and says why. He also says that there could be more issues as no placement for the rules is suggested and he goes on to explain why this is an issue. He finally says that the rewrite rules only block GET requests and that POST's can also be used and these will not be processed. Steve then says that the NGS workaround should not be used.

Steve then gives detailed workarounds for a number of different scenarios. This is an important analysis and should be read if you are using the Oracle HTTP server and mod_plsql. It is called "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical" and is well worth reading.