pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Oracle Application Server 10g question

from [Lee Lawson] [Permanent Link][Original]
To: PenTest <pen-test@securityfocus.com>
Subject: Oracle Application Server 10g question
From: "Lee Lawson" <leejlawson@gmail.com>
Date: Wed, 14 Mar 2007 10:08:12 +0000
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dAOQJA3CYaepvZHUyq7Q2if7qkW4ZWMS9qMXcMZmugP5guksULFiOKvk92nNn2/R7DiPlrC60nd3Pqhkx00QiipqVXKjOym2o99cY4YtYZWganw71GgJGd73xwqbMZqOe5vpvJvapJ5VQBRtbcNlta0wSNEguvTYxY46mwwoQqs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KsFcSeoNh5JZSwhjnEnswygwzpYx4l8OPFueFmWobdaCGEB4g8x2o8+S/bGkRvUfQ31VE2F6yKwhy4QjSiBHb+bVG1JQJ8FLHObIss0pOp0bzNMFqY27GlbtRrLuiD90+GgPf6ElL3MV7XrjV26AlARt95PnSuiCYdJzetq7VyY=
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
Resent-date: Wed, 14 Mar 2007 13:13:16 -0700 (MST)
Resent-from: pen-test-return-1078483778@securityfocus.com
Resent-message-id: <20070314201316.105382371B2@outgoing3.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com 
Hi all,

I am conducting a pen test of a web application built on Oracle
Application Server 10g.  Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.

Consider the following URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL

This is the home page.  If I replace the _pageid= value with a single
quote, I am presented with the following error on the web page.
Error: ORA-06502: PL/SQL: numeric or value error: character to number
conversion error

So a potential SQL injection point, but I cannot get anything to work
with it!  Within the source code of the page however, is the output
from what I believe is the PLVtrc function which traces the call stack
of the PL/SQL runtime engine.

<!-- ----- PL/SQL Call Stack -----
 object      line  object
 handle    number  name
430150638       601  package body PROTOCOL.WWERR_API_ERROR_UI
430150638       499  package body PROTOCOL.WWERR_API_ERROR_UI
430150638       445  package body PROTOCOL.WWERR_API_ERROR_UI
42d0aba28      3089  package body PROTOCOL.WWPOB_PAGE
42d82ed78        30  anonymous block
-->

My question is this...What value is this to an attacker?  I can put
into the report all the vague recommendations that it could be used
gain potentially sensitive information about the target and may be
used to mount a buffer overflow attack, but what real value does it
have?

Anyone seen it before?  What did you recommend and why?

I believe it can be eradicated by disabling the PLVtrc function, or at
the very least, redirecting the output of PLVtrc to a log file and not
to the web page.

Any thoughts?

Thanks,

--
Lee J Lawson
leejlawson@gmail.com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Listing hide files via ftp, carlopmart
Next by Date:  [Newbie] Info about ISP Gateways, Gerrit @ DeadSet Internet Technologies
Previous by Thread:  Call for Papers: DeepSec IDSC 2007 Europe/Vienna: 20-23 Nov 2007, enki
Next by Thread:  Re: Oracle Application Server 10g question, Joxean Koret
Indexes:  [Date] [Thread] [Top] [All Lists]