Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i - 9i
Details An Oracle user with the permission to execute the dbms_system package can crash the entire database by using a specially crafted parameter for the function dbms_system . KSDWRT(). By default only DBA users have access to this package. It is possible sometimes for application developers or the application itself to have access to this package for writing messages into the alert.log. (Details how to use this package are published on OTN). Workarounds Revoke grants from dbms_system. Example execute sys.dbms_system.ksdwrt(2,'!!!!... (1512 exclamation marks)'); Patch Information Please see MetaLink document ID 281189.1 for the patch download procedures and for the Patch Availability Matrix for this Oracle Security Alert. [metalink.oracle.com] History 24-jul-2003 Oracle secalert was informed 24-jul-2003 Bug confirmed 31-aug-2004 Oracle published alert 68 25-apr-2005 Example and time to fix added © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle Workflow |