Oracle 9iAS PL/SQL Gateway Web Admin Interface Null Authentication

high Nessus Plugin ID 11452

Synopsis

The remote host has an application that is affected by an authentication bypass vulnerability.

Description

Oracle 9i Application Server uses Apache as its web server with an Apache module for PL/SQL support.

By default, no authentication is required to access the DAD configuration page. An attacker may use this flaw to modify PL/SQL applications or prevent the remote host from working properly.

Solution

Access to the relevant page can be restricted by editing the file /Apache/modplsql/cfg/wdbsvr.app.

See Also

http://www.nessus.org/u?ffaefc17

Plugin Details

Severity: High

ID: 11452

File Name: oracle9i_mod_plsql_config.nasl

Version: 1.20

Type: remote

Family: Databases

Published: 3/24/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:application_server, cpe:/a:oracle:application_server_web_cache

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 1/10/2002

Reference Information

CVE: CVE-2002-0561

BID: 4292