Oracle in buffer overflow brown alert

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/28057.html

By John Leyden
Posted: 12/11/2002 at 13:28 GMT

Security researchers are warning of a potentially nasty buffer
over-run flaw in Oracle Database 9i databases.

In common with such flaws, a buffer overflow in the iSQL*Plus module
of Oracle 9i might allow an attacker to run arbitrary code in the
security context of the Web server. iSQL*Plus is a Web-based
application that allows users to query the database.

David Litchfield of NGS Software warns that the problem affects Oracle
Database 9i R1,2 on all operating systems - not just Web servers. He
decribes the problem as "high risk".

In an advisory posted on BugTraq last week he warns: "On most systems
this will be the 'Oracle' user and on Windows the 'SYSTEM' user. Once
the web server has been compromised attackers may then use it as a
staging platform to launch attacks against the database server
itself."

NGS Software alerted Oracle to this problem on the 18th of October and
Oracle, last week, issued an alert. The Oracle bug number assigned to
this issue is 2581911. Patches can be downloaded from the Oracle
Metalinksite.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.