The Zero Day Initiative advisory ZDI-08-088 has several inaccuracies.
Oracle actually fixed this vulnerability as part of the April 2007 Critical
Patch Update and subsequently in ATG_PF.H RUP5 and later. The vulnerability
is a serious SQL injection bug in a Self-Service Web Application database
US-CERT released an advisory on August 28, 2007 regarding multiple stack
buffer overflows in the Oracle Jinitiator product (Vulnerability Note
VU#474433/CVE-2007-4467). Due to limited public technical information on
Jinitiator, no access to the Oracle support website, and maybe lack of
Integrigy has released additional information on the Oracle E-Business Suite
11i and R12 security vulnerabilities in the April 2007 Oracle Critical Patch
Update. This analysis includes details (type, impact, etc.) regarding the
vulnerabilities, a review of the required patches, and advice on
More and more Oracle Database customers are implementing IDS and auditing
solutions to satisfy legislative requirements like SOX and HIPAA. Often
these tools are implemented with little testing or awareness that there are
potentially multiple techniques that can easily be used to evade these
