Oracle Audit / Hardening
Security Training

Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Oracle Fact Sheets

News & Events



Search Red-Database-Security
SQL Injection via mod_plsql

Name SQL Injection via mod_plsql
Severity High Risk
Category SQL Injection
Vendor URL
Author Alexander Kornbrust (ak at
Date 26 January 2006 (V 1.00)
Bug reporter David Litchfield, NGSSoftware
Bug Status
Fixed with Oracle CPU April 2006

A typical mod_plsql URL is This sample URL executes the procedure helloworld of the user X. To avoid accessing (mighty) packages which are granted to public, Oracle is blocking the access of procedures / packages containing the following (hardcoded) strings and user defined exclusions (exclusion_list):
Oracle generates an anonymous PL/SQL-block containing the procedure name (e.g. x.helloworld) to compare the procedure name from the URL with the values from the exclusion list. You can see the entire generated PL/SQL source by adding the following strings to the WDBSVR.APP


All debug information will be stored in the $ORACLE_HOME/Apache/modplsql/log/<DAD>/<PORT>

An extract of the generated PL/SQL code is here:
if (owa_match.match_pattern('x.helloworld', simple_list__, complex_list__, true)) then
  rc__ := 2;
By sending a specially crafted procedure name, containing a ")", it is possible to bypass the package owa_match.
The workaround with URLRewrite blocks all requests containing closed brackets.

Affected Products
All Oracle products running mod_plsql (e.g. Application Server or HTTP/OHS running from the database)

Patch Information
This bug is NOT fixed with Critical Patch Update January 2006.
David Litchfield posted a workaround with URLRewrite with mod_plsql.

Workaround for Oracle mod_plsql Use URLRewrite to block potential dangerous URLs containing a ")".
RewriteEngine  on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$
RewriteRule ^.*\).*|.*%29.*$
Problems with this workaround

Integrigy recommends in the Security Analysis of the mod_plsql security bug like Oracle in their press statements NOT to use this workaround. After reading the analysis from Integrigy I agree with their recommendation.

Another Workaround

Vladimir Zakharychev from Webrecruiter informed me about another workaround for the mod_plsql SQL Injection issue. Setting the value "always_describe" (up to 3.0.9.x.x) or "PlsqlAlwaysDescribeProcedure" (higher than 3.0.9.x) to ON in the dads.conf protects from the SQL Injection vulnerability in mod_plsql.

What is PlsqlAlwaysDescribeProcedure?
PlsqlAlwaysDescribeProcedure specifies whether mod_plsql should describe a procedure before trying to execute it. If this is set to "On", then mod_plsql will always describe a procedure before invoking it. Otherwise, mod_plsql will only describe a procedure when its internal heuristics have interpreted a parameter type incorrectly.

If PlsqlAlwaysDescribeProcedure is enabled, Oracle tries to describe every PL/SQL procedure. If a hacker injects pl/sql code, Oracle tries to describe this specially crafted string but fails because this procedure does not exist.

Potential problems with this workaround
Using this switch could have a negative impact on the application performance.


26-oct-2005 David Litchfield from NGS informed Oracle
7-nov-2005 David Litchfield informed the NISCC
25-jan-2006 David Litchfield posted a workaround for this unpatched vulnerability
26-jan-2006 Red-Database-Security released this analysis of the vulnerability
27-jan-2006 Info added how to enable the mod_plsql debugging mode
1-feb-2006 Another Workaround via PlsqlAlwaysDescribeProcedure + advisory from Integrigy added
4-feb-2006 Oracle FAQ for this vulnerability added
18-apr-2006 Oracle released CPU April 2006 which contains a fix for this problem


© 2006 by Red-Database-Security GmbH - last update 18-apr-2006


MOD_PLSQL is an Apache (Web Server) extension module that allows one to create dynamic web pages from PL/SQL packages and stored procedures. With mod_plsql it is possible to develop fast and flexible applications that can run on the Internet or an Intranet.

MOD_PLSQL was formerly known asOracle PL/SQL Cartridge or OWA (Oracle Web Agent).