Vulnerabilties in FTP and HTTP access to Oracle XML Database 9.2.0.1

The Oracle XML Databse (XDB) is accessible via FTP on port 2100 and HTTP on port 8080. There are 4 different buffer overflows in the FTP and HTTP servers, via:

• Long username or password to the HTTP and FTP servers
• FTP server 'test' and 'lock' commands with overly long parameters

The FTP 'test' and 'lock' commands will be blocked with log:

reason: command: 'test' was blocked

Use User-Authentication to authenticate users prior to acessing the Oracle XDB FTP and HTTP servers. This will require authentication prior to accessing the server as well as protect from the 'test' and 'lock' commands vulnerabilities.

1. To configure the security servers to listen on ports 2100 (FTP) and 8080 (HTTP), edit $FWDIR/conf/fwauthd.conf on the module and add the lines:

Restart the module (by issuing 'cpstop' followed by 'cpstart') so the changes will take effect.

2. In SmartDashboard, define two new TCP services (via Manage->Services-> New -> TCP):
   1. Name: 'Oracle_XDB_FTP'

      Port: 2100

      Click on the 'Advanced' button, and from the 'Protocol Type' drop-down list select 'FTP'.

   2. Name: 'Oracle_XDB_HTTP'

      Port: 8080

      Click on the 'Advanced' button, and from the 'Protocol Type' drop-down list select 'HTTP'.

3. Define a policy with a user-authentication rule that uses the newly created services. For example:

   Source: Oracle_Users@Internal_Net

   Destination: OracleServer

   Services: Oracle_XDB_FTP, Oracle_XDB_HTTP

   Action: User Auth

   Track: Log

4. Install policy on the module.