Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 28 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » May 2008 » Oracle Application Server 10g ORA_DAV basic authentication bypass

[Previous entry: "License plate SQL Injection"] [Next entry: "License Plate scanners and SQL Injection"]

Oracle Application Server 10g ORA_DAV basic authentication bypass

May 14th, 2008 by Pete

Post to del.icio.us   Post to Furl   Digg!

I would recommend anyone that is interested in securing their Oracle database to subscribe to some of the major security lists such as the bugtraq list at securityfocus.com or the full disclosure list. There are plent more besides these, but these are the major ones.

Why subscribe? - well its important for two reasons (BTW, I am not suggesting in any way that you should read every post - well unless you want to); the first is that these lists get Oracle vulnerabilities listed on a reasonably regular basis. Its worth understanding the sorts of bugs, vulnerabilities and exploits that are out there. The proliferation of lists like these and also of exploit sites like Milw0rm that can be searched for exploits by vendor and type means that many other people who want to steal from you also look at these sites and download exploits and other details. In order to secure an Oracle database you have to understand the types of attack that can occur against it. The second reason is more general, in that these lists contain a huge array of all types of exploits and bugs, not just for Oracle. In general you should understand all sorts of different types of attacks against Oracle. If we went back a few years and looked at bugtraq for instance "in general" and took differnt types of attack against other software we will be able to find attack types that are now found against Oracle. Keep up to date with security in general and apply that knowledge to securing Oracle.

If you are a DBA then subscribe, surf some posts and learn at a high level what the current issues are. It needn't take a huge amount of time, obviously this depends on what and how much you read.

As an example a couple of days ago Deniz Cevik posted an authentication bypass for Oracle Application server in a post titled "Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability".

A sample request is shown as:

Make a special http request first by visiting
"http:/site/pls/portal/%0A" url.

This request adds special session id into cookie. Subsequent connection attempts to
"http://site/dav_portal/portal/" will reveal the contents of directory
without any authentication.

wink


May 2008
SMTWTFS
    123
45678910
11121314151617
18192021222324
25262728293031

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!