Reported October 8, 2002, by Oracle.

VERSION AFFECTED

 

·         Oracle 9i Application Server for Windows 2000 and Windows NT

 

DESCRIPTION

 

A Denial of Service (DoS) condition exists in Oracle 9i Application Server's Web Cache Manager Tool. An attacker who sends a specially formatted HTTP GET request to the port that the Web Cache Administration process is listening on can crash the administration process. The specific HTTP GET requests involved in this vulnerability are as follows:

 

Request 1:

 

GET /../ HTTP/1.1

host: hostname

Enter

Enter

 

Request 2:

 

GET /some.html/ HTTP/1.1

host: host name

Transfer Encoding

Enter

Enter

 

VENDOR RESPONSE

 

The vendor, Oracle, has released Oracle Security Alert #43 to address this vulnerability but has not released a patch. The company will include a fix for this vulnerability in Oracle 9i Application Server, release 9.02.

 

CREDIT

Discovered by Andreas Junestam of @Stake.