Oracle 9iAS PL/SQL Gateway Web Admin Interface Null Authentication

This script is Copyright (C) 2003-2014 Tenable Network Security, Inc.


Synopsis :

The remote host has an application that is affected by an
authentication bypass vulnerability.

Description :

Oracle 9i Application Server uses Apache as its web
server with an Apache module for PL/SQL support.

By default, no authentication is required to access the
DAD configuration page. An attacker may use this flaw
to modify PL/SQL applications or prevent the remote host
from working properly.

See also :

http://www.nessus.org/u?ffaefc17

Solution :

Access to the relevant page can be restricted by
editing the file /Apache/modplsql/cfg/wdbsvr.app.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 7.5
(CVSS2#E:H/RL:U/RC:C)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 11452 ()

Bugtraq ID: 4292

CVE ID: CVE-2002-0561