Webcache Client Requests Bypass OHS mod_access Restrictions
Red-Database-Security GmbH Research Advisory
Name Webcache Client Requests Bypass OHS mod_access Restrictions
Systems Affected Oracle HTTP Server
Severity Medium Risk
Category Bypass protected URLs via Webcache
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 26 Apr 2005 (V 1.00)
Advisory number AKSEC2003-015
Description
###########
Without the parameter "UseWebcacheIP ON" it is possible to bypass Oracle HTTP
Server
mod_access restrictions.
More details available:
#######################
http://www.red-database-security.com/advisory/oracle_webcache_bypass.html
Patch Information
#################
Add the new parameter "UseWebCacheIP ON" to the httpd.conf
History:
########
01 October 2003 Oracle secalert was informed
23 October 2003 Bug confirmed
26 April 2005 Advisory released
About Red-Database-Security GmbH
#################################
Red-Database-Security GmbH is a specialist in Oracle Security.
http://www.red-database-security.com