Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Oracle :: orac5428.htm

Oracle Reports Server buffer overflow
13th Jun 2002 [SBWID-5428]

	Oracle Reports Server buffer overflow


	Oracle 9iAS


	In     NGSSoftware     Insight      Security      Research      advisory

	Oracle\'s Report Server contains a remotely exploitable  buffer  overrun
	vulnerability in one of its CGI based programs.

	By supplying an overly long database name parameter to the rwcgi60  with
	the setauth method, a remote  attacker  can  overwrite  a  saved  return
	address on the stack, gaining control over the processes execution.

	Any exploit code supplied by the  attacker  will  run  in  the  security
	context of account the web server is running as. Normally  on  platforms
	running a unix variant the account has limited privileges;  However,  on
	Windows based system the web server, by default, runs in the context  of
	the local SYSTEM account.



	Oracle have now released patches which are available from  the  Metalink
	site. The patch number is 2356680.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH