Reported November 5, 2003, by NGSSoftware.

 

 

VERSIONS AFFECTED

 

  • Oracle9i Application Server Releases 1 and 2

  • Oracle Relational Database Management System (RDBMS)

 

DESCRIPTION

 

Multiple SQL-injection vulnerabilities in Application Server and RDBMS can result in remote compromise of the vulnerable server. Many of the Procedural Level (PL)/SQL packages and procedures that Application Server uses are vulnerable to SQL injection. An unauthenticated attacker can exploit these vulnerabilities to gain access from the Internet to all data in the database.

 

VENDOR RESPONSE

 

Oracle has released an alert regarding this vulnerability.

 

CREDIT
 

Discovered by NGSSoftware.