From: Lee Lawson (leejlawson@gmail.com)
Date: Wed Mar 14 2007 - 05:08:12 EST
Hi all,
I am conducting a pen test of a web application built on Oracle
Application Server 10g. Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.
Consider the following URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL
This is the home page. If I replace the _pageid= value with a single
quote, I am presented with the following error on the web page.
Error: ORA-06502: PL/SQL: numeric or value error: character to number
conversion error
So a potential SQL injection point, but I cannot get anything to work
with it! Within the source code of the page however, is the output
from what I believe is the PLVtrc function which traces the call stack
of the PL/SQL runtime engine.
<!-- ----- PL/SQL Call Stack -----
object line object
handle number name
430150638 601 package body PROTOCOL.WWERR_API_ERROR_UI
430150638 499 package body PROTOCOL.WWERR_API_ERROR_UI
430150638 445 package body PROTOCOL.WWERR_API_ERROR_UI
42d0aba28 3089 package body PROTOCOL.WWPOB_PAGE
42d82ed78 30 anonymous block
-->
My question is this...What value is this to an attacker? I can put
into the report all the vague recommendations that it could be used
gain potentially sensitive information about the target and may be
used to mount a buffer overflow attack, but what real value does it
have?
Anyone seen it before? What did you recommend and why?
I believe it can be eradicated by disabling the PLVtrc function, or at
the very least, redirecting the output of PLVtrc to a log file and not
to the web page.
Any thoughts?
Thanks,
-- Lee J Lawson leejlawson@gmail.com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT