Oracle Application Server 10g question

From: Lee Lawson (leejlawson@gmail.com)
Date: Wed Mar 14 2007 - 05:08:12 EST

• Next message: Gerrit @ DeadSet Internet Technologies: "[Newbie] Info about ISP Gateways"
• Previous message: carlopmart: "Re: Listing hide files via ftp"
• Next in thread: Joxean Koret: "Re: Oracle Application Server 10g question"
• Reply: Joxean Koret: "Re: Oracle Application Server 10g question"
• Reply: Marco Ivaldi: "Re: Oracle Application Server 10g question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

I am conducting a pen test of a web application built on Oracle
Application Server 10g. Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.

Consider the following URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL

This is the home page. If I replace the _pageid= value with a single
quote, I am presented with the following error on the web page.
Error: ORA-06502: PL/SQL: numeric or value error: character to number
conversion error

So a potential SQL injection point, but I cannot get anything to work
with it! Within the source code of the page however, is the output
from what I believe is the PLVtrc function which traces the call stack
of the PL/SQL runtime engine.

<!-- ----- PL/SQL Call Stack -----
  object line object
  handle number name
430150638 601 package body PROTOCOL.WWERR_API_ERROR_UI
430150638 499 package body PROTOCOL.WWERR_API_ERROR_UI
430150638 445 package body PROTOCOL.WWERR_API_ERROR_UI
42d0aba28 3089 package body PROTOCOL.WWPOB_PAGE
42d82ed78 30 anonymous block
 -->

My question is this...What value is this to an attacker? I can put
into the report all the vague recommendations that it could be used
gain potentially sensitive information about the target and may be
used to mount a buffer overflow attack, but what real value does it
have?

Anyone seen it before? What did you recommend and why?

I believe it can be eradicated by disabling the PLVtrc function, or at
the very least, redirecting the output of PLVtrc to a log file and not
to the web page.

Any thoughts?

Thanks,

-- 
Lee J Lawson
leejlawson@gmail.com
"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."
"Quidquid latine dictum sit, altum sonatur."
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Gerrit @ DeadSet Internet Technologies: "[Newbie] Info about ISP Gateways"
• Previous message: carlopmart: "Re: Listing hide files via ftp"
• Next in thread: Joxean Koret: "Re: Oracle Application Server 10g question"
• Reply: Joxean Koret: "Re: Oracle Application Server 10g question"
• Reply: Marco Ivaldi: "Re: Oracle Application Server 10g question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT