COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle

PROBLEM

    Michal Zalewski found following.  To understand this issue, please
    take a look at following first:

        http://oliver.efri.hr/~crv/security/bugs/Others/oracle19.html

    The fix proposed is broken by design:

        http://server/pls/somedad/%0aselect...
        http://www.oracle.com/pls/oracle8i/%0aselect%09something...

    ...sorry for the example.  Of course, as someone pointed out,  you
    can use  for example  owa_util package  (owa_util.showsource might
    be useful),  not only  abusing plain  PL/SQL queries.   Nasty  and
    tasty.

    If you were vulnerable, you are still vulnerable.

SOLUTION

    Oracle has released a patch for Oracle Internet Application Server
    which introduces a new configuration parameter in mod_plsql called
    exclusion_list.  This parameter can be used to disallow URLs  with
    specific formats  from being  passed to  mod_plsql; by  default it
    excludes URLs with special characters such as space, tab, newline,
    carriage return,  single quote,  and backslash.    This  patch  is
    available  (patch  #1554571)  on  Oracle's  Support  Services site
    (http://metalink.oracle.com/);  it  may  be  found by searching on
    patches  for   Oracle  Portal   or  Oracle9i   Application  Server
    Enterprise Edition.

    Oracle  recommends  that  this   patch  be  applied  to   Internet
    Application Server version  1.0.2.0.  Internet  Application Server
    version 1.0.2.1,  and future  versions, are  scheduled to  include
    the patch.

    Note also that the Apache listener in Oracle Internet  Application
    Server already allows  customers to define  "inclusion-only" rules
    in  the  plsql.conf  configuration  file.   This  can  be  used to
    prevent outside user access  to any PL/SQL procedure  except those
    for  which   outside  user   access  is   explicitly  granted   in
    plsql.conf.  These rules are case sensitive.