what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

oracleSilent.txt

oracleSilent.txt
Posted Jul 15, 2005
Authored by Alexander Kornbrust | Site red-database-security.com

It appears that Oracle may have silently fixed additional bugs in their recent security bugfix release.

tags | advisory
SHA-256 | e0092d5f6bdb2133ade57acba8c98c3d9e47d8cb0d9564b550ca52fec6509e26
Download | Favorite | View

oracleSilent.txt

Change Mirror Download
Hello BugTraq-Reader

After reading the patch documentation and some tests with the CPU July
2005 I found out that Oracle fixed some security bugs silently without
mention these bugs in their current risk matrix. 

Detailed information about most of these bugs are not available via
Metalink but in many cases the description is sufficient for a malicious
attacker 
(e.g. "/DAV_PUBLIC IS NOT PROTECTED BY DEFAULT ENABLING MALITIOUS USER
TO FILL IT UP")


For OHS 9.0.2.3:
3174425 - OHS CRASHES WITH A SPECIFIC REQUEST
3396862 - MOD_OSSO DOES NOT EXPIRE PARTNER APPLICATION COOKIES

For Mod_Oradav 9.0.2.3:
2576249 - /DAV_PUBLIC IS NOT PROTECTED BY DEFAULT ENABLING MALITIOUS
USER TO FILL IT UP
2544464 - ORAALTPASSWORD SHOULD BE ENCRYPTED AND NOT JUST OBFUSCATED

For Webcache 9.0.2.3
2972458 - WEBCACHE SERVES DOCUMENTS AT 40 BIT ENCRYPTION WHEN 128
SPECIFIED IN OHS

For OHS 9.0.3.1:
3164583 - INACTIVITY TIMEOUT CAN BE BYPASSED USING BROWSER BACK BUTTON
2701804 - OHS HANGS: NO BUFFER SPACE AVAILABLE: ACCEPT: (CLIENT SOCKET)
3174425 - OHS CRASHES WITH A SPECIFIC REQUEST

For DB 9.0.1.4 or DB 9.0.1.5
3889519 - UPLOAD IN SSL DOES NOT WORK WITH IE AFTER SECALERT 68 OR DB
PATCH
          9015

DB 9.0.1.5Fips Patch 4 : 4340015
4067484  SSO SERVER XSS CHECK 

DB 9.0.1.5Fips Patch 2 : 4210722
2605435 : MEMORY LEAK WHEN EXECUTING A QUERY THROUGH TAF CONNECTION

This information is available at
https://www.red-database-security.com/whitepaper/cpu_july_2005_silently_f
ixed_bugs.html


Regards

 Alexander Kornbrust
 Red-Database-Security GmbH


PS: Don't miss the Oracle Security related talks at Black Hat 2005 in
Las Vegas. I will show how to
circumvent Oracle's database encryption
(dbms_crypto/dbms_obfuscation_toolkit) to decrypt sensitive 
information.

All Oracle Security related topics at the Black Hat 2005 USA.

https://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Cerrudo
https://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Fayo
https://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Kornbrust
https://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Litchfiel
d

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close