Bugtraq mailing list archives
Oracle Web Listener for AIX DoS
From: prg () N-M COM (Peter Grundl)
Date: Tue, 4 Jul 2000 12:10:24 +0200
Oracle Web Listener for AIX DoS Advisory Code: VIGILANTE-2000002 Release Date: July 4, 2000 Systems Affected: Oracle_Web_Listener/4.0.7.0.0 for AIX Oracle_Web_Listener/4.0.8.1.0 for AIX Possibly other operating systems as well, this has not been tested. Systems not Affected: Oracle_Web_Listener/4.0.8.0.0 for Windows NT Oracle_Web_Listener/4.0.8.1.0 for Windows NT Oracle_Web_Listener/4.0.8.2.0 for Windows NT Oracle_Web_Listener/4.0.8.1.0 for Sun THE PROBLEM By issuing a malformed URL (variations on "..") it is possible to cause a Denial of Service situation where the Oracle_Web_Listener will no longer accept HTTP requests and the service needs to be restarted. Vendor Status: Vendor was contacted through e-mail (3 times) and direct phone calls (5 times) from the end of May until today. However, we were told that without a support contract this incident would receive low priority. We were offered to purchase a support contract so we could report the vulnerability correctly. We do not use any Oracle products and fail to grasp why we should purchase a support contact in order to help Oracle. Fix: Older versions are no longer supported since 1st of June 2000, which means 4.0.7.0.0 will never be fixed. The vulnerability still exist in 4.0.8.1.0, and is unlikely to have been adressed in 4.0.8.2.0. Vendor URL: http://www.oracle.com Program URL: http://www.oracle.com/appserver/ Copyright VIGILANTe 2000-07-04 Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: Please send suggestions, updates, and comments to: VIGILANTe mailto: info () vigilante com http://www.vigilante.com
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994 Alan J Rosenthal (Jun 30)
- <Possible follow-ups>
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- XFree86 4.0.1 and /tmp Joseph S. Myers (Jul 02)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)