Next Page >>
database
tl;dr -> Patch your database ASAP with Oracle Critical Patch Update
April 2012.
Introduction
------------
The following advisory explains a vulnerability I found in 2008 in all
versions of Oracle Database server until very recently. The bug is
probably available in any Oracle Database version since 1999 (Oracle 8i)
to the latest one (Oracle 11g) without the CPU-APR-2012. The bug was
> - Default Database Disclosure:
> /forum/snitz_forums_2000.mdb
> Solution:
> Change the database name. The name should be a combination of
> letters and numbers.
>
> That makes it hard for anyone to guess the name of your database.
As a long time Snitz user who has installed it far more times then one would
consider sane, I question the validity of this advisory. While it is true
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The DBA role in Oracle Database is not the same as SYSDBA privilege,
which is granted to SYS. There are many things that a user granted the
DBA role can't do - the most important being the ability to alter SYS
owned objects. This is true on databases where
O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).
This vulnerability allows any user with execute privileges on the
$newpassword = rand(10000, 50000);
$md5pass = md5($newpassword);
-----------------------------[source code end]---------------------------------
3. Unauthorized database backup vulnerability in "backup-database.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. missing access control
Preconditions:
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK.
All of them may use backslash ('\') as part of multibyte character.
WordPress with MySQL database created any other character sets fulfilling
Abstract
------------------------------------------------------------------------
While doing a quick sweep over the code base of FreeWebshop.org (FWS)
several vulnerabilities have been found in FWS. These vulnerabilities
allow attackers to obtain arbitrary information from the webserver and
database. It is even possible to execute arbitrary code with the
privileges of FWS. In some cases it may even be possible to fully
compromise the system on which FWS is installed. Most of these issues
are related to the fact that FWS fully trusts the content of the cookies
that it receives. These issues were discovered within a very small
time frame, it is likely that more issues exist within FWS. A full
------------------------------
URL: http://websecurity.com.ua/4419/
------------------------------
These are Information Leakage and Full path disclosure vulnerabilities which
I found at 05.06.2007. They are concerning WordPress Database Backup plugin
which was a part of WordPress 2.0.x (was core plugin).
------------------------------
1. Information Leakage.
------------------------------
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 15, 2008
I. BACKGROUND
Oracle Database Server is a family of database products that range from
personal databases to enterprise solutions. Further information is
available at the following URL.
http://www.oracle.com/database/index.html
# + The reseller has 1 users
# + Host thegoodone.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# / Trying to create a database
# + Database 92xpl_db39 successfully created
# + Using database id 12
# / Trying to add SQL user
# + User 93xpl_usr2 successfully created
# + Using SQL user id 17
sqlmap is an open source command-line automatic SQL injection tool.
Its goal is to detect and take advantage of SQL injection
vulnerabilities in web applications. Once it detects one or more SQL
injections on the target host, the user can choose among a variety of
options to perform an extensive back-end database management system
fingerprint, retrieve DBMS session user and database, enumerate users,
password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or
write either text or binary files on the file system, execute
arbitrary commands on the operating system, establish an out-of-band
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009
I. BACKGROUND
Oracle Database Server is a family of database products that range from
personal databases to enterprise solutions. Further information is
available at the following URL:
http://www.oracle.com/database/index.html
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
Quoting http://www.sql-ledger.org/cgi-bin/nav.pl?page=about.html&title=About:
| SQL-Ledger® ERP is a double entry accounting/ERP system. Accounting data is
| stored in a SQL database server, for the display any text or GUI browser can be
| used. The entire system is linked through a chart of accounts. Each item in
| inventory is linked to income, expense, inventory and tax accounts. When items
| are sold and purchased the accounts are automatically updated.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Published: June 19, 2009
Updated: June 19, 2009
INTRODUCTION
There exists a vulnerability within a function of the ToolTalk database server
(rpc.ttdbserverd), which when properly exploited can lead to remote compromise
of the vulnerable system.
This vulnerability was confirmed by us in the following versions of operating
systems, other operating systems and versions may be also affected.
Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle’s proxy authentication and access control mechanism.
Findings
Apr 15, 2008
I. BACKGROUND
Oracle Application Express (Oracle APEX), formerly called HTML DB, is a
rapid web application development tool for the Oracle database. For
more information about Oracle Application Express, please visit
following URL.
http://www.oracle.com/technology/products/database/application_express/index.html
http://labs.idefense.com/intelligence/vulnerabilities/
Nov 07, 2007
I. BACKGROUND
Oracle Database Server is a family of database products that range from
personal databases to enterprise solutions. Further information is
available at the following URL.
http://www.oracle.com/database/index.html
A SQL injection vulnerability exists in the Log On page of the web
interface for Cisco CallManager AKA Unified Communications Manager. An
unauthenticated attacker who is able to access the Log On page could
exploit this vulnerability to run arbitrary SQL commands as the logged
in database user, usually cm_publisher. By running SQL commands, the
attacker could gain information about the CallManager configuration,
including call records.
AFFECTED SOFTWARE
=================
------------------------------
1. Cross-Site Request Forgery.
------------------------------
Taking in account that in plugin WordPress Database Backup there is no
protection against CSRF, then with help of this CSRF vulnerability it's
possible to attack admin. It can be done for forcing of backup, in order to
get the backup of site's DB via earlier mentioned Information Leakage
vulnerability, or for the purpose of creating of large number of backup
files, to occupy free space at the server. Or in order to receive backup on
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2 (and
previous patchsets)
Oracle Enterprise Manager Grid Control 10.2.0.4 (and previous patchsets)
Remote exploitable:
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.3 (and
previous patchsets)
Oracle Enterprise Manager Grid Control 10.2.0.5, 11.1.0.1 (and previous
patchsets)
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD's C library (libc) contains code for creating and accessing
Berkeley DB 1.85 database files. Such databases are used extensively
in FreeBSD; for example, the system password files (/etc/passwd and
/etc/master.passwd) are normally accessed via their database files
(/etc/pwd.db and /etc/spwd.db).
II. Problem Description
See http://www.petefinnigan.com/Advisory_CPU_Jan_2008.htm for details.
Description
Oracle Ultra-Search uses database and Oracle text functionallity to
provide a uniform search function that is fully integrated with the SQL
language and where it allows full text search capabilities within the
database. For more details see Introduction to Oracle Ultra Search
<http://support.cs.nott.ac.uk/help/docs/databases/oracle/standard/ultra.101/b10731/over.htm>.
The issue located by PeteFinnigan.com Limited relates to excessive
[waraxe-2007-SA#052] - dBlog CMS Open Source database retrieval
====================================================================
Author: Janek Vind "waraxe"
Date: 19. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-52.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AppSecInc Team SHATTER Security Advisory
Privilege escalation via internal sql injection in RESTORE DATABASE command.
Risk Level:
Medium
Affected versions:
Risk Level:
High
Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)
Remote exploitable:
Yes (No authentication is required)
Risk Level:
Medium
Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)
Remote exploitable:
Yes (No authentication is required)
Risk Level:
High
Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)
Remote exploitable:
Yes (No authentication is required)
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that the Zope Object Database (ZODB) database server
(ZEO) improperly filtered certain commands when a database is shared among
multiple applications or application instances. A remote attacker could
send malicious commands to the server and execute arbitrary code.
(CVE-2009-0668)
3. *Vulnerability Description*
SolidDB is an in-memory relational database from IBM with over 3,000,000
deployments [1]. It is used as an embedded database by independent
software vendors of enterprise applications, telecommunications and
embedded software and systems. IBM reports SolidDB as being used in
mission-critical applications from Cisco, HP, Alcatel and Nokia Siemens.
The in-memory database is also used as core component of IBM SolidDB
Next Page>>
|
