News

Buffer Overflow Flaw in Oracle9i Component

Security researcher David Litchfield found a high risk problem in the form of a buffer overflow vulnerability occurring in a software component that ships with the Oracle 9i database on all platforms.

Oracle has a patch available at its Oracle Metalink site (metalink.oracle.com) under issue number 2581911.

The affected component is called Oracle iSQL*Plus. It is a Web-based application allowing users to query the database. Installed with the Oracle 9i database server, iSQL*Plus runs on Apache.

The buffer overrun occurs at the default log-in screen. By supplying an overly long user ID parameter, a user can overrun a buffer and potentially run arbitrary code in the context of the Web server. On Windows systems that security context is as a System user.

Compromising the Web server can give attackers a platform to launch attacks against the database server, according to a bulletin from Litchfield's company, Next Generation Security Software, Ltd.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.