Reported April 30, 2003, by NGSSoftware
Oracle Database Link Buffer Overflow in Oracle9i Release 1 and 2; Oracle 8i, all releases; Oracle 8, all releases; and Oracle 7.3.x
The Oracle database server contains a buffer-overflow condition. To exploit the condition, a malicious user can provide a long parameter for a connect string with the CREATE DATABASE LINK query.
A query must first be created:
CREATE DATABASE LINK ngss
CONNECT TO hr
IDENTIFIED BY hr
Then the database must be selected, where the overflow is then triggered upon selection:
select * from table@ngss
Oracle has released a patch to correct the problem.
Discovered by NGSSoftware