SQL & PL/SQL

Previously, I apologize for not very fluent in english

Some time ago the security of information systems in our company do security checks on the existing mail server by using the tools v2.02/2.03 Nikto, found that Oracle Collaboration Suite applications we use there is still a Vulnerability like this below :


- Nikto v2.02/2.03
---------------------------------------------------------------------------
+ Target IP: 172.23.1.5
+ Target Hostname: 172.23.1.5
+ Target Port: 7778
+ Start Time: 2010-04-15 11:42:03
---------------------------------------------------------------------------
+ Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=107728384405,0)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
- Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-0: HTTP method ('Allow' Header): 'CONNECT' may allow server to proxy client requests.
+ OSVDB-13431: HTTP method ('Allow' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists.
+ OSVDB-425: HTTP method ('Allow' Header): 'PROPPATCH' indicates DAV/WebDAV is installed.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Apache/2.0.47 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
+ mod_jk/1.2.5 appears to be outdated (current is at least 1.2.26)
+ PHP/5.1.6 appears to be outdated (current is at least 5.2.6)
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
+ mod_ssl/2.2.3 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8c appears to be outdated (current is at least 0.9.8g) (may depend on server version)
+ PHP/5.1.6 appears to be outdated (current is at least 5.2.6)
+ PHP/5.2.1 appears to be outdated (current is at least 5.2.6)
+ Apache/2.2.4 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
+ mod_ssl/2.2.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8e appears to be outdated (current is at least 0.9.8g) (may depend on server version)
+ PHP/5.2.1 appears to be outdated (current is at least 5.2.6)
+ Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
+ Oracle-Application-Server-10g/10.1.2.0.2Oracle-HTTP-ServerOracleAS-Web-Cache-10g/10.1.2.0.2(N;ecid=107728384405,0) appears to be outdated (current is at least 10.1.3.1.0)
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-700: GET /fcgi-bin/echo?foo=<script>alert('Vulnerable')</script> : Fast-CGI has two default CGI programs (echo.exe/echo2.exe) vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3954: GET /fcgi-bin/echo2?foo=<script>alert('Vulnerable')</script> : Fast-CGI has two default CGI programs (echo.exe/echo2.exe) vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-877: TRACK / : TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-561: GET /server-status : This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ OSVDB-3092: GET /fcgi-bin/echo : The FastCGI echo program may reveal system info or lead to other attacks.
+ OSVDB-3092: GET /fcgi-bin/echo2 : The FastCGI echo2 program may reveal system info or lead to other attacks.
+ OSVDB-3093: GET /pls/portal/PORTAL_DEMO.ORG_CHART.SHOW : Access to Oracle pages cold have an unknown impact.
+ OSVDB-3093: GET /pls/portal/PORTAL.wwa_app_module.link : Access to Oracle pages cold have an unknown impact.
+ OSVDB-3093: GET /pls/portal/PORTAL.wwv_setting.render_css : Access to Oracle pages cold have an unknown impact.
+ OSVDB-3093: GET /pls/portal/PORTAL.wwv_main.render_warning_screen?p_oldurl=inTellectPRO&p_newurl=inTellectPRO : Access to Oracle pages cold have an unknown impact.
+ OSVDB-3093: GET /pls/portal/null : Access to Oracle pages cold have an unknown impact.
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 2967 items checked: 36 item(s) reported on remote host
+ End Time: 2010-04-15 11:43:01 (58 seconds)



Summary of findings:

Vulnerability on port 7778/tcp and 7779/tcp
If Oracle 9iAS is installed, allowing access PORTAL_DEMO.ORG_CHART.
through mod_plsql. Access to these pages should be limited, because it enables a SQL Injection attacks.

Suggestion

Remove the Execute for Public grants from the PL / SQL package in schema
PORTAL_DEMO (REVOKE execute ON portal_demo.org_chart FROM public;).

The Question:

How do I execute the advice given (step by step) and what about its impact on future applications, what could make the application does not work?