Services
Information
Company |
Webcache Client Requests bypasses OHS mod_access Restrictions
Details It is possible to access Apache protected URLs by using webcache. Patch Information Oracle fixed this issue by introducing the parameter "UseWebcacheIP" to the Oracle HTTP Server(OHS), but never informed their customers about this issue with an security alert. Workaround Add "UseWebCacheIP ON" to httpd.conf. Testcase (Port 7778 = Webcache, Port 7779 = OHS) The following URLs are NOT protected if you access them via Webcache: http://server01:7778/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name http:// server01:7778/server-status http:// server01:7778/dms0 The following URLs are protected: http://server01:7779/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name http:// server01:7779/server-status http:// server01:7779/dms0 History 01-oct-2003 Oracle secalert was informed 01-oct-2003 Bug confirmed 26-apr-2005 Red-Database-Security published this advisory 11-may-2005 CAN added © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle Webcache |