Overview
By default, the /ows-bin/ directory allows execution of CGI scripts. The Oracle Web Listener will execute batch files as CGI scripts. By making a request to a batch file in ows-bin that requires one or more arguments, it is possible for a knowledgeable and malicious user to execute arbitrary commands. This bug was originally reported by Cerberus Information Security .

Products Affected

  • Oracle Application Server (all Releases upto 4.0.8.1)

Solutions Proposed
The bug has been fixed in Oracle Application Server (OAS) 4.0.8.2, now nearing code freeze. Specifically, the virtual path /ows-bin/ has been removed from the default installation. If an application developer needs access to one or more executables in ows-bin, you need to copy that executable to a separate directory and define a new virtual path for this path.

Workarounds for Releases Prior to 4.0.8.2

  • OAS 4.0.8.1 and prior releases (using the default Spyglass listener)
    The site administrator should remove the /ows-bin/ directory from the list of virtual paths, which eliminates the vulnerability. This is accessible from the OAS manager using the path: Website 40 -> HTTP Listeners -> .www -> Directory.

  • OAS 4.0.8.1 and older releases (using the Apache listener)
    The Apache listener needs access to "rmproxy.ior" in the /ows-bin/ directory. In order to eliminate the security problem and keep the Apache listener operational, the administrator should create a new directory and move "rmproxy.ior" to that directory, and point the virtual directory /ows-bin/ to the new directory.

    For example, if the current definition is:


    File System Directory = Virtual Directory
    C:\oas4081\ows\4.0\bin\ = /ows-bin/

    An acceptable solution would be to create the directory "C:\oas4081\ows\4.0\bin\remote\", move rmproxy.ior to this new directory, and associate virtual directory /ows-bin/ with the new directory:


    File System Directory = Virtual Directory
    C:\oas4081\ows\4.0\bin\remote\ = /ows-bin/