[Previous entry: "Stephen Kost (www.integrigy.com) has released an analysis of the mod_plsql 0-day bug / workaround"] [Next entry: "patch set 10.1.0.5 does not include latest security fixes!"]
Alex has described a new work around for the mod_plsql 0-day bug
February 2nd, 2006 by Pete
Post to del.icio.us
Post to Furl
Alex yesterday released an update to his page "SQL Injection via mod_plsql". In ths update Alex describes a new workaround for this issue that has been suggested by Vladimir Zakharychev from Webrecruiter. This works by setting the parameter always_describe to ON up to 3.0.9.x.x and in higher versions the parameter PlsqlAlwaysDescribeProcedure to ON.
When this is ON, mod_plsql describes all procedures before running them, so if a hacker tries to inject code it will fail the describe. Alex warns that there are performance issues with enabling this parameter.
