The Oracle Reports parameter customize can read any file by using an absolute or relative file name. Parts of the file content are displayed in the Reports error message
f0314d4bf413e9fae79071434d7822edcb24e11ed4940e67ecba30ac5acd510fThe Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey.
53734153442fd7cb77962aa30534146324550a2e0a0680fe77b1bc8e91a0d592Oracle Workflow is part of the database or application server installation. The parameter response form is vulnerable against XSS/CSS attacks.
2eb6c4ef458b17429b16b1a95e05c214585b85fc4637ec1a482c95d69ecf2c6fThe Oracle Forms servlet can be used to cause a denial of service against the TNS Listener.
72d657c9d34a08163e0ac91b91a9aecbea265ce6791086334997b32c828e111fThe web interface for iSQLPlus in Oracle Database 9.0.2.4 can be used to cause a denial of service against the TNS Listener.
ab783831ce9a6285a953756ea16236eef2b4d64b31bed4e8bbd16eb3b6fcc156The XMLDB in Oracle Database 9i Release 2 is susceptible to cross site scripting attacks.
f60d5590bc2279e0eb2f276fa15e511bb23e3ee2dfdb2f652d24eead062a25fdOracle Database 9.0.2.4 with iSQLPlus is susceptible to a cross site scripting flaw.
4e46dcca1545f3b988b96e9d9519b788e4170a780349fceb576370c8407df3beDuring the manual installation process of Oracle HTMLDB, the SYS password is logged in plaintext into the file install.lst.
8aade996b0fb6512d99be5ac7c4565565139723d4135a6aaeb91226a61a3af85The Oracle HTMLDB contains some cross site scripting vulnerabilities.
d2f371949cb27d269d5b9249b1197ca0e6160b0e34383d38e2056e71438de8dbOracle Reports fails to properly sanitize user input allowing for SQL injection attacks.
1231437f23fca1da680f92cd8c0d24b09e7b06a69abcf763b7b9272ddd7ced0aA dictionary based Oracle password checker. This is a useful and fast (150.000 pw/sec) tool for DBAs to identify Oracle accounts with weak or default passwords.
347557ee38aed91ccdfda881256b418152b5fc74c3ede2186cf61ff83fe5f29cEvery user with CREATE JOB privilege can switch the SESSION_USER to SYS by executing a database job via dbms_scheduler on Oracle 10g.
89a141519dcef0c60eb5caae4118b9350bed9c359a49fba7854f155c388e595cFine grained audit (FGA) is disabled for all users if the user SYS runs a SELECT statement on a FGA object in Oracle 9i / 10g.
ef0e69af9d00f437ba72ca0fee630f111a4921211bcba924fef4da010fb8148cOracle Reports allows for the reading of parts of XML files via a customized parameter.
4d27059175e1dcc7aeac399414cc2c7127df1d03ac5be93c671f03ad7943b4dbOracle (Web) Forms versions 4.5, 5.0, 6.0, 6i, 9i, and 10g allow for remote command execution.
03f7b32a794cc3457f7a79373ed1363ef640d03456f77d185a3b500f8658e02eOracle Reports versions 6.0, 6i, 9i, and 10g allows for unauthorized command execution.
c4d8f576853527f5797d50ebac8b56c69d36581500b4309070c285b0057679f2Oracle Reports versions 6.0, 6i, 9i, and 10g allow for arbitrary file overwrites.
601395cdc955fabeda3c3d734002f48426a76e9cd93e33bd11a599d3182ac047It appears that Oracle may have silently fixed additional bugs in their recent security bugfix release.
e0092d5f6bdb2133ade57acba8c98c3d9e47d8cb0d9564b550ca52fec6509e26Red-Database-Security GmbH Advisory - Oracle Forms 4.5, 6.0, 6i, and 9i suffer from an insecure file handling vulnerability.
fa4eaf8e7d0fdc3d758812044a9f5867ff11c7040921a31aa5d1a5658f5ca1efRed-Database-Security GmbH Advisory - Oracle Formsbuilder version 9.0.4 fails to remove files from a temporary directory after closing. These files hold passwords.
92d250e9df585c90c8a7056d41f17421ea64bf7a057934e647141c68176c2a7bRed-Database-Security GmbH Advisory - Oracle JDeveloper versions 9.0.4, 9.0.5, and 10.1.2 suffer from a security issue where they store passwords in the clear.
1ef7d326099db85757b1d0d45d41e4e79836e1fb7b8ff8e4749aba6ac6cae850Red-Database-Security GmbH Advisory - Oracle JDeveloper versions 9.0.4, 9.0.5, and 10.1.2 suffer from a security issue where they pass a plaintext password to sqlplus.
6cc2a4972fdac4f610e2d1dd525a1fede3e1ecfc4372f8b465e4547f449f5fa4
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed