CVE-1999-1068

Vulnerability

Oracle Webserver 2.1, when configured to serve PL/SQL stored procedures (commonly at endpoints like /ows-bin/), suffers from a denial-of-service vulnerability. A remote attacker can send an HTTP GET request with a long query string parameter (e.g. 2600 'a' characters) to the PL/SQL endpoint, causing the server to crash silently. Version 2.0 does not exhibit this behavior [1].

Exploitation

No authentication or special privileges are required; the attacker only needs network access to the target webserver. Using a combination of Perl and NetCat (or any other HTTP client), the attacker sends an HTTP GET request to the PL/SQL stored procedure path with a parameter containing an overly long value. The server processes the request and crashes immediately, with no log entry generated [1].

Impact

A successful attack causes the Oracle Webserver 2.1 process to terminate, resulting in a denial of service. The server becomes unavailable to legitimate users until manually restarted. There is no indication of the crash in the server logs, hindering detection [1].

Mitigation

No official patch or fix is documented in the available references [1]. As of the publication date (July 1997), the vendor had not released a solution. Administrators are advised to upgrade to a later, unaffected version (e.g., Oracle Webserver 2.0 did not exhibit the crash) or implement network-level filtering to block excessively long request URIs.