Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability

Bugtraq ID:	13418
Class:	Design Error
CVE:	CVE-2005-1383
Remote:	Yes
Local:	No
Published:	Apr 28 2005 12:00AM
Updated:	Jul 12 2009 02:06PM
Credit:	Discovery of this issue is credited to Alexander Kornbrust.
Vulnerable:	Oracle Oracle9i Application Server 9.2 .0.6 Oracle Oracle9i Application Server 9.0.3 .1 Oracle Oracle9i Application Server 9.0.3 Oracle Oracle9i Application Server 9.0.2 .3 Oracle Oracle9i Application Server 9.0.2 .2 Oracle Oracle9i Application Server 9.0.2 .1 Oracle Oracle9i Application Server 9.0.2 .0.1 Oracle Oracle9i Application Server 9.0.2 .0.0 Oracle Oracle9i Application Server 9.0.2 Oracle Oracle9i Application Server 1.0.2 .2.2 Oracle Oracle9i Application Server 1.0.2 .2 Oracle Oracle9i Application Server 1.0.2 .1s Oracle Oracle9i Application Server 1.0.2 Oracle Oracle9i Application Server - Compaq Tru64 5.1 - Compaq Tru64 5.0 f - Compaq Tru64 5.0 a - Compaq Tru64 5.0 - Compaq Tru64 4.0 g - HP HP-UX 11.11 - HP HP-UX 11.0 4 - HP HP-UX 11.0 - HP HP-UX 10.34 - HP HP-UX 10.30 - HP HP-UX 10.26 - HP HP-UX 10.20 - HP HP-UX 10.16 - HP HP-UX 10.10 - HP HP-UX 10.9 - HP HP-UX 10.8 - HP HP-UX 10.1 0 - HP HP-UX 10.0 1 - HP HP-UX 10.0 - HP HP-UX 9.10 - HP HP-UX 9.9 - HP HP-UX 9.8 - HP HP-UX 9.7 - HP HP-UX 9.6 - HP HP-UX 9.5 - HP HP-UX 9.4 - HP HP-UX 9.3 - HP HP-UX 9.1 - HP HP-UX 9.0 - HP HP-UX 8.9 - HP HP-UX 8.8 - HP HP-UX 8.7 - HP HP-UX 8.6 - HP HP-UX 8.5 - HP HP-UX 8.4 - HP HP-UX 8.2 - HP HP-UX 8.1 - HP HP-UX 8.0 - HP HP-UX 7.8 - HP HP-UX 7.6 - HP HP-UX 7.4 - HP HP-UX 7.2 - HP HP-UX 7.0 - IBM AIX 4.3.3 - IBM AIX 4.3.2 - IBM AIX 4.3.1 - IBM AIX 4.3 - IBM AIX 4.2.1 - IBM AIX 4.2 - IBM AIX 4.1.5 - IBM AIX 4.1.4 - IBM AIX 4.1.3 - IBM AIX 4.1.2 - IBM AIX 4.1.1 - IBM AIX 4.1 - IBM AIX 4.0 - IBM AIX 3.2.5 - IBM AIX 3.2.4 - IBM AIX 3.2 - IBM AIX 3.1 - IBM AIX 3.0 x - IBM AIX 2.2.1 - IBM AIX 1.3 - IBM AIX 1.2.1 - IBM AIX 5.1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 - Sun Solaris 1.1.4 -JL - Sun Solaris 1.1.4 - Sun Solaris 1.1.3 _U1 - Sun Solaris 1.1.3 - Sun Solaris 1.1.2 - Sun Solaris 1.1.1 - Sun Solaris 8_x86 - Sun Solaris 8_sparc - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 2.6_x86HW5/98 - Sun Solaris 2.6_x86HW3/98 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 HW5/98 - Sun Solaris 2.6 HW3/98 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.2 - Sun Solaris 2.1 - Sun Solaris 2.0 - Sun Solaris 1.2 - Sun Solaris 1.1 Oracle Oracle10g Application Server 10.1.2 Oracle Oracle10g Application Server 10.1 .0.3.1 Oracle Oracle10g Application Server 10.1 .0.3 Oracle Oracle10g Application Server 10.1 .0.2 Oracle Oracle10g Application Server 9.0.4 .1 Oracle Oracle10g Application Server 9.0.4 .0 Oracle Oracle HTTP Server 9.2 .0 + Apache Apache 1.3.22 Oracle Oracle HTTP Server 9.0.1 Oracle Oracle HTTP Server 8.1.7 + Apache Apache 1.3.12 + Oracle Oracle8 8.1.7 + Oracle Oracle8i Enterprise Edition 8.1.7 .0.0 + Oracle Oracle8i Standard Edition 8.1.7
Not Vulnerable:

Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability

Oracle HTTP Server(OHS) of Oracle Application Server is prone to an access restriction bypass vulnerability.

It is possible to configure a list of forbidden URIs in OHS. This is accomplished using 'mod_access'. A URI that is listed is not supposed to be accessible to certain clients, depending on the configuration. However, reports indicate that the Oracle Webcache client may be used to access URIs regardless of the restrictions outlined in OHS 'mod_access'.

Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability

The following examples are available:
(Port 7778 = Webcache, Port 7779 = OHS)

The following URLs are NOT protected if you access them via Webcache:
http://example.com:7778/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name
http://example.com:7778/server-status
http://example.com:7778/dms0

The following URLs are protected:
http://example.com:7779/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name
http://example.com:7779/server-status
http://example.com:7779/dms0

Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability

Solution:
It is reported that the vendor has addressed this vulnerability by introducing the parameter 'UseWebcacheIP' to the Oracle HTTP Server(OHS). This is not confirmed. Customers are advised to contact the vendor to obtain further information in regards to this parameter.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability

References:

• Oracle Homepage (Oracle)
  
• Webcache Client Requests bypasses OHS mod_access Restrictions (Alexander Kornbrust)
  
• Webcache Client Requests Bypass OHS mod_access Restrictions (Alexander Kornbrust )