<<< Date Index >>>     <<< Thread Index >>>

Re: Workaround for unpatched Oracle PLSQL Gateway flaw



So, like, what about http://www.integrigy.com/info/IntegrigySecurityAnalysis-MODPLSQLVuln.pdf

This provides an excellent analysis of the problem. Further, it discusses the recommendation made by Vladimir Zakharychev from Webrecruiter. This recommendation is to set the "always_describe" / "PlsqlAlwaysDescribeProcedure" to "yes" / "on" in the "wdbsvr.app" / "dads.conf" file. This is a simple workaround and, as I can confirm, it does prevent exploitation. Why on earth didn't Oracle make this simple recommendation in the January 2006 CPU?

I hereby withdraw my workaround and would encourage everyone to adopt Vladimir's.

Cheers,
David Litchfield