{"vuid":"VU#307835","idnumber":"307835","name":"Oracle9i Application Server OWA_UTIL procedures expose sensitive information","keywords":["Oracle 9iAS","OWA_UTIL","PL/SQL","signature","showsource","cellsprint","listprint","show_query_column","information disclosure"],"overview":"Oracle9i Application Server (iAS) provides a Procedural Language/Structured Query Language (PL/SQL) application (package) called OWA_UTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obtain credentials and access to other database servers, and run SQL queries on accessible database servers.","clean_desc":"David Litchfield of NGSSoftware has released a paper titled Hackproofing Oracle Application Server that describes a number of security issues in Oracle's PL/SQL system. This document addresses a problem in which a number of procedures in the OWA_UTIL PL/SQL application disclose sensitive information. Quoting from Hackproofing: PL/SQL is Oracle’s Procedural Language extension to Structured Query Language. PL/SQL packages [applications] are essentially stored procedures in the database. The package exposes procedures that can be called directly, but also has functions that are called internally from within another package. The PL/SQL module for Apache extends the functionality of a web server, enabling the web server to execute these stored PL/SQL packages in the database. The best way to imagine the PL/SQL module is like a gateway into an Oracle database server over the Web using stored procedures. The OWA_UTIL PL/SQL application exposes a number of procedures to the web via the Apache PL/SQL module. By default, anonymous web access is permitted to some of these procedures. OWA_UTIL.signature returns a message containing version information about the PL/SQL module. An attacker could use this procedure to verify access to OWA_UTIL. OWA_UTIL.showsource returns the source code of the specified PL/SQL application. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default. OWA_UTIL.cellsprint allows an attacker to run arbitrary SQL queries. Litchfield notes that queries could be made to the sys.link$ table, which could provide credentials and access to other Oracle database servers. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default. OWA_UTIL.listprint allows an attacker to run arbitrary SQL queries, but only returns specified columns. OWA_UTIL.show_query_columns returns column names of a database table. This procedure could be used to obtain column names for use with OWA_UTILS.listprint. The PL/SQL module provides a configuration parameter called exclusion_list. Procedures (as well as applications and schemas) specified in exclusion_list cannot be directly executed over the web. As noted above, Oracle9i AS v1.0.2.2 documentation states that web access to OWA_UTIL.showsource and OWA_UTIL.cellsprint is prevented by default. The vulnerable PL/SQL module may also be used by Oracle9i Database and Oracle8i Database.","impact":"An unauthenticated, remote attacker could use procedures provided by OWA_UTIL to view the source code of PL/SQL applications, obtain access credentials for other database servers, access other database servers, and perform SQL queries on accessible database servers.","resolution":"Block or Restrict Access\nUnauthenticated PUBLIC access to PL/SQL procedures and applications can be restricted using the exclusion_list parameter in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. This solution is described in Oracle Security Alert #28. For more information, read the section titled Protecting the PL/SQL Procedures Granted to PUBLIC in the Oracle iAS documentation under Using the PL/SQL Gateway.","workarounds":"Disable Vulnerable Service Disable the PL/SQL service (modplsql or mod_plsql in Apache).","sysaffected":"","thanks":"The CERT Coordination Center thanks David Litchfield of NGSSoftware for information used in this document.","author":"This document was written by Art Manion.","public":["http://www.nextgenss.com/papers/hpoas.pdf","http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf","http://www.securityfocus.com/bid/4294","http://www.iss.net/security_center/static/8451.php"],"cveids":["CVE-2002-0560"],"certadvisory":"CA-2002-08","uscerttechnicalalert":null,"datecreated":"2002-02-06T19:18:58Z","publicdate":"2002-01-10T00:00:00Z","datefirstpublished":"2002-03-11T22:36:55Z","dateupdated":"2002-11-15T21:43:07Z","revision":42,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"7","cam_impact":"10","cam_easeofexploitation":"17","cam_attackeraccessrequired":"20","cam_scorecurrent":"10.26375","cam_scorecurrentwidelyknown":"10.26375","cam_scorecurrentwidelyknownexploited":"19.18875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":10.26375,"vulnote":null}