PT-2002-1609 · Oracle · Oracle 9I Application Server
Published
2002-06-11
·
Updated
2017-12-19
·
CVE-2002-0559
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Oracle 9i Application Server versions 1.0.2.x
Description
The issue concerns buffer overflows in the PL/SQL module, which can be exploited by remote attackers to cause a denial of service or execute arbitrary code. This can be achieved through various means, including:
- a long help page request without a dadname, which overflows the resulting HTTP Location header,
- a long HTTP request to the plsql module,
- a long password in the HTTP Authorization,
- a long Access Descriptor (DAD) password in the addadd form,
- a long cache directory name.
Recommendations
For Oracle 9i Application Server version 1.0.2.x, consider restricting access to the PL/SQL module until a patch is available. As a temporary workaround, limit the length of HTTP requests and input parameters to prevent buffer overflows. Avoid using long passwords in the HTTP Authorization and long Access Descriptor (DAD) passwords in the addadd form. Restrict the cache directory name to a reasonable length to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Oracle 9I Application Server