http://www.integrigy.com daily 1 2006-07-18T19:54:09Z http://www.integrigy.com/security-resources/alerts/oracle-apps-sql-injection Multiple SQL injection vulnerabilities exist in the Oracle E-Business Suite 11i and Oracle Applications 11.0. These vulnerabilities can be remotely exploited simply using a browser and sending a specially crafted URL to the web server. A mandatory patch from Oracle is required to solve these security issues. No publisher ploneadmin Risk: High Oracle E-Business Suite 2006-07-18T02:19:08Z Page http://www.integrigy.com/security-resources/alerts/fndwrr-vulnerability The Oracle Applications FNDWRR CGI program, used to retrieve report output from the Concurrent Manager server via a web browser, has a remotely exploitable buffer overflow. A mandatory patch from Oracle is required to solve this security issue. No publisher ploneadmin Risk: High Oracle E-Business Suite 2006-07-18T02:19:17Z Page http://www.integrigy.com/security-resources/alerts/aolj-information-disclosure No publisher ploneadmin Risk: Information 2006-07-18T02:19:24Z Page http://www.integrigy.com/security-resources/alerts/fndfs-vulnerability The Oracle Applications FNDFS program, used to retrieve report output from the Concurrent Manager server, can be used to remotely retrieve any file from the server without operating system or application authentication. A mandatory patch from Oracle is required to solve this security issue. No publisher ploneadmin Risk: High 2006-07-18T02:19:31Z Page http://www.integrigy.com/security-resources/alerts/reports-server-password-disclosure The Oracle Reports Server may disclose the current APPS password. Oracle Reports Server is installed as part of the default installation and is used by Oracle Business Intelligence (BIS) and related business intelligence modules (Financial Intelligence, etc.). No publisher ploneadmin Risk: High 2006-07-18T02:19:40Z Page http://www.integrigy.com/security-resources/alerts/oracle-applications-search-engines Oracle E-Business Suite self-service applications are often connected to the Internet for direct access by customers, suppliers, and employees. Using search engines (Google, Altavista, etc.) and simple search phrases, hackers can quickly find instances of the Oracle E-Business Suite to attack. All Internet accessible instances of the Oracle E-Business Suite should be shielded from web crawlers and indexing services. No publisher ploneadmin Risk: Information Oracle E-Business Suite 2006-07-18T02:19:48Z Page http://www.integrigy.com/security-resources/alerts/apache-information-disclosure As part of a default Apache installation, two default cgi-bin scripts, printenv and test-cgi, are installed. Oracle has included these scripts in the installation of 11i. This script provides information regarding the installation, which could be used in an attack. No publisher ploneadmin Risk: Low 2006-07-18T02:19:55Z Page