Oracle iSQL*Plus vulnerabilities
Created 11/5/02
CAN 2002-1264
Impact
A remote user could execute arbitrary operating system commands
with SYSTEM or oracle privileges.
Background
The iSQL*Plus application, which comes with Oracle 9i,
allows users to query an Oracle database from a web browser.
The Problem
11/5/02
There is a buffer overflow in the processing of the
USERID parameter in iSQL*Plus on Oracle 9i.
A remote attacker could overwrite stack memory and execute
arbitrary commands by entering a long, specially-crafted
user ID at the login screen. This would usually result in
SYSTEM privileges on Windows systems and
oracle privileges on Unix. Oracle 9i releases
9.0.x (all releases), 9.2.0.1, and 9.2.0.2 are affected
by this vulnerability.
Resolution
To fix the iSQL*Plus vulnerability,
download and install
patch 2581911.
Where can I read more about this?
This vulnerability was reported in
Oracle
Security Alert #46 and
NGSSoftware
Advisory #NISR04112002.