Summary
In a default installation of Oracle 9iAS, it is possible to access the mod_plsql DAD Admin interface. Access to these pages should be restricted.
Solution
Edit the wdbsvr.app file, and change the setting 'administrators=' to named users who are allowed admin privileges.
Reference : http://online.securityfocus.com/archive/1/155881