PT-2002-1609 · Oracle · Oracle 9I Application Server
Publicado
2002-06-11
·
Atualizado
2017-12-19
·
CVE-2002-0559
CVSS v2.0
7.5
Alta
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Oracle 9i Application Server versions 1.0.2.x
Description
The issue concerns buffer overflows in the PL/SQL module, which can be exploited by remote attackers to cause a denial of service or execute arbitrary code. This can be achieved through various means, including:
- a long help page request without a dadname, which overflows the resulting HTTP Location header,
- a long HTTP request to the plsql module,
- a long password in the HTTP Authorization,
- a long Access Descriptor (DAD) password in the addadd form,
- a long cache directory name.
Recommendations
For Oracle 9i Application Server version 1.0.2.x, consider restricting access to the PL/SQL module until a patch is available. As a temporary workaround, limit the length of HTTP requests and input parameters to prevent buffer overflows. Avoid using long passwords in the HTTP Authorization and long Access Descriptor (DAD) passwords in the addadd form. Restrict the cache directory name to a reasonable length to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Oracle 9I Application Server