Databases : Oracle Database Server Multiple Unspecified Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.802525

Categoría: Databases

Título: Oracle Database Server Multiple Unspecified Vulnerabilities

Resumen: Oracle database server is prone to SQL command execution vulnerability.

Descripción: Summary:
Oracle database server is prone to SQL command execution vulnerability.

Vulnerability Insight:
The flaw is due to error in Oracle PL/SQL Gateway, which fails to
properly validate user-supplied HTTP requests.

Vulnerability Impact:
Successful exploitation allows an attacker to send a specially-crafted HTTP
request to bypass the PLSQLExclusion list and execute SQL commands on the back-end database with DBA privileges.

Affected Software/OS:
Oracle Database server versions 9.2.0.7 and 10.1.0.5

Solution:
Apply the patch from the referenced advisory.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2006-0435
BugTraq ID: 16384
http://www.securityfocus.com/bid/16384
Bugtraq: 20060125 Workaround for unpatched Oracle PLSQL Gateway flaw (Google Search)
http://www.securityfocus.com/archive/1/423029/100/0/threaded
Bugtraq: 20060208 Re: Workaround for unpatched Oracle PLSQL Gateway flaw (Google Search)
http://www.securityfocus.com/archive/1/423673/100/0/threaded
Bugtraq: 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw (Google Search)
http://www.securityfocus.com/archive/1/423822/100/0/threaded
Bugtraq: 20060202 The History of the Oracle PLSQL Gateway Flaw (Google Search)
http://www.securityfocus.com/archive/1/423819/100/0/threaded
http://www.securityfocus.com/archive/1/424394/100/0/threaded
CERT/CC vulnerability note: VU#169164
http://www.kb.cert.org/vuls/id/169164
http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041742.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041899.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041898.html
HPdes Security Advisory: HPSBMA02113
http://www.securityfocus.com/archive/1/432267/100/0/threaded
HPdes Security Advisory: SSRT061148
http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html
http://www.osvdb.org/22719
http://securitytracker.com/id?1015544
http://securitytracker.com/id?1015961
http://secunia.com/advisories/18621
http://secunia.com/advisories/19712
http://secunia.com/advisories/19859
http://securityreason.com/securityalert/402
http://securityreason.com/securityalert/403
http://www.vupen.com/english/advisories/2006/0338
http://www.vupen.com/english/advisories/2006/1397
http://www.vupen.com/english/advisories/2006/1571
XForce ISS Database: oracle-plsql-command-execution(24363)
https://exchange.xforce.ibmcloud.com/vulnerabilities/24363

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.802525
Categoría:	Databases
Título:	Oracle Database Server Multiple Unspecified Vulnerabilities
Resumen:	Oracle database server is prone to SQL command execution vulnerability.
Descripción:	Summary: Oracle database server is prone to SQL command execution vulnerability. Vulnerability Insight: The flaw is due to error in Oracle PL/SQL Gateway, which fails to properly validate user-supplied HTTP requests. Vulnerability Impact: Successful exploitation allows an attacker to send a specially-crafted HTTP request to bypass the PLSQLExclusion list and execute SQL commands on the back-end database with DBA privileges. Affected Software/OS: Oracle Database server versions 9.2.0.7 and 10.1.0.5 Solution: Apply the patch from the referenced advisory. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2006-0435 BugTraq ID: 16384 http://www.securityfocus.com/bid/16384 Bugtraq: 20060125 Workaround for unpatched Oracle PLSQL Gateway flaw (Google Search) http://www.securityfocus.com/archive/1/423029/100/0/threaded Bugtraq: 20060208 Re: Workaround for unpatched Oracle PLSQL Gateway flaw (Google Search) http://www.securityfocus.com/archive/1/423673/100/0/threaded Bugtraq: 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw (Google Search) http://www.securityfocus.com/archive/1/423822/100/0/threaded Bugtraq: 20060202 The History of the Oracle PLSQL Gateway Flaw (Google Search) http://www.securityfocus.com/archive/1/423819/100/0/threaded http://www.securityfocus.com/archive/1/424394/100/0/threaded CERT/CC vulnerability note: VU#169164 http://www.kb.cert.org/vuls/id/169164 http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041742.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041899.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041898.html HPdes Security Advisory: HPSBMA02113 http://www.securityfocus.com/archive/1/432267/100/0/threaded HPdes Security Advisory: SSRT061148 http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html http://www.osvdb.org/22719 http://securitytracker.com/id?1015544 http://securitytracker.com/id?1015961 http://secunia.com/advisories/18621 http://secunia.com/advisories/19712 http://secunia.com/advisories/19859 http://securityreason.com/securityalert/402 http://securityreason.com/securityalert/403 http://www.vupen.com/english/advisories/2006/0338 http://www.vupen.com/english/advisories/2006/1397 http://www.vupen.com/english/advisories/2006/1571 XForce ISS Database: oracle-plsql-command-execution(24363) https://exchange.xforce.ibmcloud.com/vulnerabilities/24363
Copyright	Copyright (C) 2011 Greenbone AG