Oracle 9iAS OWA_UTIL Stored Procedures Information Disclosure

This script is Copyright (C) 2003-2014 Javier Fernandez-Sanguino


Synopsis :

Sensitive data may be accessed on the remote host.

Description :

Oracle 9iAS can provide access to the PL/SQL application OWA_UTIL that
provides web access to some stored procedures. These procedures,
without authentication, can allow users to access sensitive information
such as source code of applications, user credentials to other database
servers and run arbitrary SQL queries on servers accessed by the
application server.

See also :

http://www.nessus.org/u?0f47f278
http://www.nessus.org/u?97653726

Solution :

Apply the appropriate patch listed in Oracle's advisory, which details
how you can restrict unauthenticated access to procedures using the
exclusion_list parameter in the PL/SQL gateway configuration file
'/Apache/modplsql/cfg/wdbsvr.app'.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.8
(CVSS2#E:H/RL:W/RC:C)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 11225 ()

Bugtraq ID: 4294

CVE ID: CVE-2002-0560