-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exploit code released
Oracle Forms and Reports 9iAS, 9iDS, 10G (DS and AS), and 10G AS Reports/Forms Standalone Installation 11g if patch or workaround not applied 12g code rewrite has mitigated this vulnerability. Undocument PARSEQUERY function allows dumping database user/pass@db with unauthenticated browser. Patch/workaround doesn't seem to actually address the parsequery problem but seems they simply obfuscated it by disabling diagnostic output. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3153 URLPARAMETER vulnerability allows browsing/downloading files, planting files as well as gaining a remote shell http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3152 and CVE-2012-???? Exploits can be found here http://netinfiltration.com/ - -- Dana Taylor http://netinfilration.com @netinfiltration @miss_sudo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS5uXJAAoJELwuSLPAtCgju9cH/0QcPuT8wGEbxAaxaHyFJl5r BxdGCXm51pUFBa3poh9hxYDinxRqhPsWCzgBNW/xfgVF8xk0/XGSNfLNpLRE3q0d x8M2H0HSXAHozv1ItdCh2C1Xdd35qvDXy6IzR1MiHT8Jv3RyznucrkdyHYFbT1as 7ppxktSbBltOxADg8TLHOAnmMNwD3kpZUYnMVuK9G1bL7GgAo7npyBr7A2mvPN1B OPeAb5rfDpFZeT6OJ1VoodE4gOOKdvb6iexYe9yHfzeispZp948ItVhhPAhYbRXJ PYjA7lZiZnNwZeZKotGJxv2Z8L2CbE10q7N8W/ntSbLOfrm4REL0tJ8NvAxg72M= =XkQd -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/