stfu .
2009/1/13 <sexyazngr...@mac.hush.com> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > afaik, no one cares about oracle. > > retarded blind scavengers make careers selling fallen, rotten, > previously low hanging fruit. > > <3 2 n3td3v > > > Tue, 13 Jan 2009 15:52:02 -0800 David Litchfield > <dav...@ngssoftware.com> wrote: > >NGSSoftware Insight Security Research Advisory > > > >Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL > >Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2) > >Severity: High > >Vendor URL: http://www.oracle.com/ > >Author: David Litchfield [ dav...@ngssoftware.com ] > >Reported: 23rd July 2008 > >Date of Public Advisory: 13th January 2009 > >Advisory number: #NISR13012009 > >CVE: CVE-2008-3979 > > > >Overview > >******** > >Oracle has just released a fix for a flaw that, when exploited, > >allows a low > >privileged authenticated database user to gain MDSYS privileges. > >This can be > >abused by an attacker to perform actions as the MDSYS user. > > > >Details > >******* > >MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of > > >the > >Oracle Spatial Application. It is vulnerable to SQL injection. > >When a user > >drops a table the trigger fires. The name of the table is embedded > > >in a > >dynamic SQL query which is then executed by the trigger. Note that > > >the > >Oracle advisory states that the attacker requires the DROP TABLE > >and CREATE > >PROCEDURE privileges. This is not the case and only CREATE SESSION > > > > >privileges are required. > > > >Fix Information > >*************** > >Oracle was alerted to this flaw on the 23rd July 2008. A patch has > > >now been > >made available: > > > >http://www.oracle.com/technology/deploy/security/critical-patch- > >updates/cpujan2009.html > > > >NGSSQuirreL for Oracle, an advanced vulnerability assessment > >scanner > >designed specifically for Oracle, can be used to accurately > >determine > >whether your servers are vulnerable to these flaws. More > >information about > >NGSSQuirreL for Oracle can be found here: > > > >http://www.ngssoftware.com/products/database-security/ngs-squirrel- > > >oraclephp > > > >About NGSSoftware > >***************** > >NGSSoftware, an NCC Group Company, develops vulnerability > >assessment and > >compliancy tools for database servers including Oracle, Microsoft > >SQL > >Server, DB2, Sybase and Informix. Headquartered in the United > >Kingdom NGS > >has offices in London, St. Andrews (UK), Brisbane, and Perth > >(Australia) and > >Seattle in the United States; NGS provide services to some of the > >largest > >and most demanding organizations around the globe. > > > >http://www.ngssoftware.com/ > >Telephone +44 208 401 0070 > >Fax +44 208 401 0076 > > > >-- > >E-MAIL DISCLAIMER > > > >The information contained in this email and any subsequent > >correspondence is private, is solely for the intended recipient(s) > > >and > >may contain confidential or privileged information. For those > >other than > >the intended recipient(s), any disclosure, copying, distribution, > >or any > >other action taken, or omitted to be taken, in reliance on such > >information is prohibited and may be unlawful. If you are not the > >intended recipient and have received this message in error, please > >inform the sender and delete this mail and any attachments. > > > >The views expressed in this email do not necessarily reflect NGS > >policy. > >NGS accepts no liability or responsibility for any onward > >transmission > >or use of emails and attachments having left the NGS domain. > > > >NGS and NGSSoftware are trading names of Next Generation Security > >Software Ltd. Registered office address: Manchester Technology > >Centre, > >Oxford Road, Manchester, M1 7EF with Company Number 04225835 and > >VAT Number 783096402 > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkltMpcACgkQynWwk3/AtyOsbgP+LVLiKWqeGvuu/kFnm7sQXic8l5k1 > 9RYQ902ygOS4Nt67IkUgFgZBeTsN25d0mkH0hZDHulhTJOPNFGxwLuRVbXBF89JwjCO7 > faHEhS73TGVmm3TnUTm1ZGEg1dto36LomtrR/H1YMmMnY41RCoK1ycj8QeEFfOFiuK/v > AKEkLFw= > =Y0II > -----END PGP SIGNATURE----- > > -- > Dreaming of a career in Medical Administration? Click here to make your > dream career a reality. > > http://tagline.hushmail.com/fc/PnY6qxukq5RffaxISSWG6OsKAmNS1Ot26fn4GDJCCtUikCP599Qla/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/