Oracle 8.x/9.x/10.x Database - Multiple SQL Injections

source: https://www.securityfocus.com/bid/13144/info Oracle database is reported prone to multiple SQL injection vulnerabilities. These issues exist due to insufficient sanitization of user-supplied data. These issues can be exploited using malformed PL/SQL statements to pass unauthorized SQL...

CVE-2002-1636

CVE-2002-1636 affects Oracle 9i Application Server (9iAS) via the htp PL/SQL package. The vulnerability exists in htp.print where user-supplied cbuf can inject arbitrary script/HTML, enabling remote XSS. No remediation or fix version is provided in the supplied documents.

Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i

Researchers at NGSSoftware have discovered multiple high risk vulnerabilities in the Oracle Database Server. Versions affected include Oracle Database 10g - All Releases Oracle9i Database Server - All Releases The vulnerabilities include PL/SQL Injection vulnerabilities that allow low privileged...

Oracle Trigger Abuse (#NISR2122004I)

NGSSoftware Insight Security Research Advisory Name: Oracle 10g/9i Trigger Abuse Systems Affected: Oracle 10g/9i on all operating systems Severity: High risk Vendor URL: http://www.oracle.com/ Author: David Litchfield davidl at ngssoftware.com Relates to:...

Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)

NGSSoftware Insight Security Research Advisory Name: Oracle 10g/9i Multiple PL/SQL injection vulnerabilities Systems Affected: Oracle 10g/AS on all operating systems Severity: High risk Vendor URL: http://www.oracle.com/ Author: David Litchfield davidl at ngssoftware.com Relates to:...

Multiple SQL Injection Vulnerabilities in Oracle Application Server 9i and RDBMS (#NISR05112003)

NGSSoftware Insight Security Research Advisory Name : Multiple Oracle Application Server SQL Injection Vulnerabilities Systems Affected: All OS platforms; Oracle9i Application Server Release 1 and 2 and RDBMS Severity : High Risk Vendor URL : http://www.oracle.com/ Author : David Litchfield...

CVE-2003-0634

Stack-based buffer overflow in the PL/SQL EXTPROC functionality for Oracle9i Database Release 2 and 1, and Oracle 8i, allows authenticated database users, and arbitrary database users in some cases, to execute arbitrary code via a long library name...

CVE-2003-0634

Stack-based buffer overflow in the PL/SQL EXTPROC functionality for Oracle9i Database Release 2 and 1, and Oracle 8i, allows authenticated database users, and arbitrary database users in some cases, to execute arbitrary code via a long library name...

CVE-2003-0634

The vulnerability (CVE-2003-0634) affects Oracle9i Database Release 2/1 and Oracle 8i, due to a stack-based buffer overflow in the PL/SQL EXTPROC component. An authenticated (and in some cases arbitrary) database user can potentially execute arbitrary code by supplying a long library name. This s...

Oracle Extproc Buffer Overflow (#NISR25072003)

NGSSoftware Insight Security Research Advisory Name: Oracle Extproc Buffer Overflow Systems Affected: Most OS platforms; Oracle9i Database Release 2 and 1, 8i Severity: High Risk Vendor URL: http://www.oracle.com Authors: David Litchfield [email protected] Chris Anley [email protected]...

Oracle 9iAS PL/SQL Gateway Web Admin Interface Null Authentication

Oracle 9i Application Server uses Apache as its web server with an Apache module for PL/SQL support. By default, no authentication is required to access the DAD configuration page. An attacker may use this flaw to modify PL/SQL applications or prevent the remote host from working properly...

CVE-2002-1666

Unknown vulnerability in Oracle E-Business Suite 11i.1 through 11i.6 allows remote attackers to execute unauthorized PL/SQL procedures by modifying the Oracle Applications URL...

CVE-2002-0561

The default configuration of the PL/SQL Gateway web administration interface in Oracle 9i Application Server 1.0.2.x uses null authentication, which allows remote attackers to gain privileges and modify DAD settings...

CVE-2002-0559

Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via 1 a long help page request without a dadname, which overflows the resulting HTTP Location header, 2 a long HTTP request to the plsq...

CVE-2002-0567

Oracle 8i and 9i with PL/SQL package for External Procedures EXTPROC allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process...

CVE-2002-0561

The default configuration of the PL/SQL Gateway web administration interface in Oracle 9i Application Server 1.0.2.x uses null authentication, which allows remote attackers to gain privileges and modify DAD settings...

CVE-2002-0564

CVE-2002-0564 affects Oracle 9i Application Server 1.0.2.x via PL/SQL module 3.0.9.8.2. An attacker can bypass authentication for a Database Access Descriptor (DAD) by altering the URL to reference a different DAD that already has valid credentials, enabling unauthorized access. The description n...

CVE-2002-0561

CVE-2002-0561 affects Oracle 9i Application Server's PL/SQL Gateway web administration interface. The default configuration uses null authentication, allowing remote attackers to bypass access controls and modify DAD/settings via the PL/SQL gateway administration pages. Details in connected advis...

CVE-2002-0559

The CVE-2002-0559 entry concerns a buffer overflow in Oracle9i Application Server’s Apache PL/SQL module exposed via the PL/SQL gateway (mod_plsql). The vulnerability arises from processing long inputs (e.g., long HTTP requests, long DAD passwords, long Authorization headers, or long cache direct...

CVE-2002-0560

Oracle 9i Application Server 1.0.2.x with PL/SQL module 3.0.9.8.2 exposes OWA_UTIL procedures (signature, listprint, show_query_columns) to remote attackers, enabling information disclosure. Affected component is the PL/SQL gateway (modplsql) in Oracle 9iAS; exploitation involves unauthenticated ...