RE: Oracle 10g 10.2.0.2.0 DBA exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Oracle 10g 10.2.0.2.0 DBA exploit
From: "putosoft softputo" <hasecorp@xxxxxxxxxxx>
Date: Mon, 01 May 2006 15:27:31 +0000
Cc: davidl@xxxxxxxxxxxxxxx, cesar@xxxxxxxxxxxx, ak@xxxxxxxxxxxxxxxxxxxxxxxxx, Mary.Ann.Davidson@xxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Patches for 10.2.0.2.0 have been released but the bug is not solved. Patchesfor other plattforms (such as HPUX or AIX) have been re-scheduled. It's notimportant because ANY plattform (even with latest CPU) is vulnerable.

An exploit for Oracle 10.2.0.2.0 was published by N1v1hD $3c41r3 andexploits for Oracle 8.1.7.4 and Oracle 9.2.0.7 have been published by DavidLitchfield.

How can I say to my customers that they need to wait for 2 months to havethe solution for an stupid issue that can compromise the fully databaseserver?

How can I say to my customers "Hey! Sorry! But Oracle have been tried tosolve the f*ing issue about 3 or 4 times but they failed. You need to wait 2months (again) for a fix that may or may not solve the vulnerability."


_________________________________________________________________

Acepta el reto MSN Premium: Correos más divertidos con fotos y textosincreíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis.http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos

Prev by Date: Re: CoolMenus Event Remote File Inclusion exploit
Next by Date: FTP Fuzzer
Previous by thread: Oracle 10g 10.2.0.2.0 DBA exploit
Next by thread: XSS Vulnerability in Guest-book script powered by Community Architect
Index(es):
- Date
- Thread