Users login

Create an account »


Users login

Home » Hacking News » Oracle9iAS Web Cache Denial of Service (a102802-1)

Oracle9iAS Web Cache Denial of Service (a102802-1)

by Nikola Strahija on October 28th, 2002 Oracle Web Cache is a part of the Oracle Application Server suite. The Web Cache server is designed to be implemented in front of the Oracle Web server and act as a caching reverse proxy server.

There exists two different denial of service scenarios, which will cause
the Web Cache service to fail. The denial of service conditions can be
exploited by simple HTTP requests to the Web Cache service.

Detailed Description:

There exists two different denial of service situations in Oracle Web
Cache The first one is triggered by issuing a HTTP GET
request containing at least one dot-dot-slash contained in the URI:

GET /../ HTTP/1.0
Host: whatever

The second denial of service is triggered by issuing an malformed GET

GET / HTTP/1.0
Host: whatever
Transfer-Encoding: chunked

Both will create an exception and the service will fail.

Vendor Response:

Vendor was first contacted by @stake: 08-28-2002.
Vendor released a bulletin: 10-04-2002

Oracle has released a bulletin describing a solution to this issue.


Follow the vendor's instructions detailed in the security bulletin for
this issue.

- - From the Oracle bulletin:

Customers should follow best security practices for protecting the
administration process from unauthorized users and requests. As such,
Oracle strongly encourages customers to take both of the following
protective measures:
1. Use firewall techniques to restrict access to the Web Cache
administration port.
2. Use the “Secure Subnets” feature of the Web Cache Manager tool to
provide access only to administrators connecting from a list of
permitted IP addresses or subnets.
The potential security vulnerability is being tracked internally at
Oracle and will be fixed by default in the 9.0.4 release of Oracle9i
Application Server.

For more information, see:

Common Vulnerabilities and Exposures (CVE) Information:

CAN-2002-0386 Oracle9iAS Web Cache Denial of Service

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

Copyright 2002 @stake, Inc. All rights reserved.

Version: PGPfreeware 7.0.3 for non-commercial use ;


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »