David Litchfield has reported a vulnerability in various Oracle products, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error in the Oracle PL/SQL Gateway component during the validation of certain HTTP requests. This can be exploited to bypass the PLSQLExclusion list and gain access to excluded packages and procedures via specially-crafted HTTP requests.
Successful exploitation allows an attacker to gain DBA access to the database server through the web server.
The vulnerability has been reported in the PL/SQL Gateway component included in the Oracle Application Server and the Oracle HTTP Server.
Note: The affected component may also be included in other Oracle products.
Solution: Apply patches from the April Critical Patch Update (see vendor advisory).
Provided and/or discovered by: David Litchfield, NGSSoftware.
Original Advisory: Oracle:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org