安全研究
安全漏洞
Oracle 8i/9i CTXSYS.DRILOAD SQL注入漏洞
发布日期:2004-09-02
更新日期:2004-09-06
受影响系统:
Oracle Oracle8i Standard Edition 9.2 .0.2描述:
Oracle Oracle8i Standard Edition 9.2 .0.1
Oracle Oracle8i Standard Edition 9.0.2
Oracle Oracle8i Standard Edition 9.0.1 .4
Oracle Oracle8i Standard Edition 9.0.1 .3
Oracle Oracle8i Standard Edition 9.0.1 .2
Oracle Oracle8i Standard Edition 9.0.1
Oracle Oracle8i Standard Edition 9.0
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.1.7 .1
Oracle Oracle8i Standard Edition 8.1.7 .0.0
Oracle Oracle8i Standard Edition 8.1.7
Oracle Oracle8i Standard Edition 8.1.6
Oracle Oracle8i Standard Edition 8.1.5
Oracle Oracle8i Personal Edition 9.2 .0.2
Oracle Oracle8i Personal Edition 9.2 .0.1
Oracle Oracle8i Personal Edition 9.0.1
Oracle Oracle8i Enterprise Edition 9.2 .0.2
Oracle Oracle8i Enterprise Edition 9.2 .0.1
Oracle Oracle8i Enterprise Edition 9.0.1
Oracle Oracle8i Enterprise Edition 8.1.7 .1.0
Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle8i Enterprise Edition 8.1.6 .1.0
Oracle Oracle8i Enterprise Edition 8.1.6 .0.0
Oracle Oracle8i Enterprise Edition 8.1.5 .1.0
Oracle Oracle8i Enterprise Edition 8.1.5 .0.2
Oracle Oracle8i Enterprise Edition 8.1.5 .0.0
Oracle Oracle8i Client Edition 9.2 .0.2
Oracle Oracle8i Client Edition 9.2 .0.1
Oracle Oracle8i 9.0.1
Oracle Oracle8i 9.0
Oracle Oracle8i 8.1x
Oracle Oracle8i 8.1.7.1
Oracle Oracle8i 8.1.7
Oracle Oracle8i 8.1.6
Oracle Oracle8i 8.1.5
Oracle Oracle8i 8.0.6
Oracle Oracle8i 8.0.5
Oracle Oracle8i 8.0.4
Oracle Oracle8i 8.0.2
Oracle Oracle8i 8.0.1
Oracle Oracle9i Standard Edition 9.2.0.4
Oracle Oracle9i Standard Edition 9.2.0.1
Oracle Oracle9i Release 2 9.2.2
Oracle Oracle9i Release 2 9.2.1
Oracle Oracle9i Personal Edition 9.2.0.4
Oracle Oracle9i Personal Edition 9.2.0.1
Oracle Oracle9i Enterprise Edition 9.2.0.4
Oracle Oracle9i Enterprise Edition 9.2.0.1
Oracle Oracle9i 9.2.0.3
Oracle Oracle9i 9.2.0.2
Oracle Oracle9i 9.2.0.1
Oracle Oracle9i 9.2
Oracle Oracle9i 9.0.2
Oracle Oracle9i 9.0.1.4
Oracle Oracle9i 9.0.1.3
Oracle Oracle9i 9.0.1.2
Oracle Oracle9i 9.0.1
Oracle Oracle9i 9.0
Oracle Database是一款商业性质大型数据库系统。
Oracle Database CTXSYS.DRILOAD对用户提交的参数缺少过滤,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能提升权限。
任何合法数据库用户可以使用特殊构建SQL命令传递参数给DRILOAD执行,可导致任何合法数据库用户获得DBA权限。
<*来源:Alexander Kornbrust (ak@red-database-security.com)
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=109442003202952&q=raw
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 使用如下方法暂时防止此漏洞:
Drop user CTXSYS
厂商补丁:
Oracle
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=281189.1
浏览次数:3437
严重程度:0(网友投票)
绿盟科技给您安全的保障