Reported October 8, 2002, by Oracle.
· Oracle 9i Application Server for Windows 2000 and Windows NT
A Denial of Service (DoS) condition exists in Oracle 9i Application Server's Web Cache Manager Tool. An attacker who sends a specially formatted HTTP GET request to the port that the Web Cache Administration process is listening on can crash the administration process. The specific HTTP GET requests involved in this vulnerability are as follows:
GET /../ HTTP/1.1
GET /some.html/ HTTP/1.1
host: host name
The vendor, Oracle, has released Oracle Security Alert #43 to address this vulnerability but has not released a patch. The company will include a fix for this vulnerability in Oracle 9i Application Server, release 9.02.
Discovered by Andreas Junestam of @Stake.