Re: Workaround for unpatched Oracle PLSQL Gateway flaw
So, like, what about
http://www.integrigy.com/info/IntegrigySecurityAnalysis-MODPLSQLVuln.pdf
This provides an excellent analysis of the problem. Further, it discusses
the recommendation made by Vladimir Zakharychev from Webrecruiter. This
recommendation is to set the "always_describe" /
"PlsqlAlwaysDescribeProcedure" to "yes" / "on" in the "wdbsvr.app" /
"dads.conf" file. This is a simple workaround and, as I can confirm, it does
prevent exploitation. Why on earth didn't Oracle make this simple
recommendation in the January 2006 CPU?
I hereby withdraw my workaround and would encourage everyone to adopt
Vladimir's.
Cheers,
David Litchfield