Personal tools
You are here: Home Security Resources Security Alerts
Navigation
 
Document Actions

Security Alerts

Up one level
Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities
Multiple SQL injection vulnerabilities exist in the Oracle E-Business Suite 11i and Oracle Applications 11.0. These vulnerabilities can be remotely exploited simply using a browser and sending a specially crafted URL to the web server. A mandatory patch from Oracle is required to solve these security issues.
Oracle E-Business Suite FNDWRR Buffer Overflow
The Oracle Applications FNDWRR CGI program, used to retrieve report output from the Concurrent Manager server via a web browser, has a remotely exploitable buffer overflow. A mandatory patch from Oracle is required to solve this security issue.
Oracle E-Business Suite AOL/J Setup Test Information Disclosure
 
Oracle E-Business Suite FNDFS Vulnerability
The Oracle Applications FNDFS program, used to retrieve report output from the Concurrent Manager server, can be used to remotely retrieve any file from the server without operating system or application authentication. A mandatory patch from Oracle is required to solve this security issue.
Oracle Reports Server APPS Password Disclosure
The Oracle Reports Server may disclose the current APPS password. Oracle Reports Server is installed as part of the default installation and is used by Oracle Business Intelligence (BIS) and related business intelligence modules (Financial Intelligence, etc.).
Internet Connected Applications and Search Engines
Oracle E-Business Suite self-service applications are often connected to the Internet for direct access by customers, suppliers, and employees. Using search engines (Google, Altavista, etc.) and simple search phrases, hackers can quickly find instances of the Oracle E-Business Suite to attack. All Internet accessible instances of the Oracle E-Business Suite should be shielded from web crawlers and indexing services.
Information Disclosure through Default Apache Scripts
As part of a default Apache installation, two default cgi-bin scripts, printenv and test-cgi, are installed. Oracle has included these scripts in the installation of 11i. This script provides information regarding the installation, which could be used in an attack.