Re: Workaround for unpatched Oracle PLSQL Gateway flaw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

So, like, what about http://www.integrigy.com/info/IntegrigySecurityAnalysis-MODPLSQLVuln.pdf
This provides an excellent analysis of the problem. Further, it discusses the recommendation made by Vladimir Zakharychev from Webrecruiter. This recommendation is to set the "always_describe" / "PlsqlAlwaysDescribeProcedure" to "yes" / "on" in the "wdbsvr.app" / "dads.conf" file. This is a simple workaround and, as I can confirm, it does prevent exploitation. Why on earth didn't Oracle make this simple recommendation in the January 2006 CPU?
I hereby withdraw my workaround and would encourage everyone to adopt Vladimir's. 

Cheers,
David Litchfield
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux