Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2004-1362

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2004-1362
Last Modified 05 Sep 2008 04:41:07
Published 04 Aug 2004 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2004-1362

Summary

The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.

Vulnerable Systems

Application

  • Oracle Application Server

  • Oracle Application Server 9.0.2

  • Oracle Application Server 9.0.2.0.0

  • Oracle Application Server 9.0.2.0.1

  • Oracle Application Server 9.0.2.1

  • Oracle Application Server 9.0.2.2

  • Oracle Application Server 9.0.2.3

  • Oracle Application Server 9.0.3

  • Oracle Application Server 9.0.3.1

  • Oracle Application Server 9.0.4

  • Oracle Application Server 9.0.4.0

  • Oracle Application Server 9.0.4.1

  • Oracle Collaboration Suite Release 1

  • Oracle E-business Suite 11.5.1

  • Oracle E-business Suite 11.5.2

  • Oracle E-business Suite 11.5.3

  • Oracle E-business Suite 11.5.4

  • Oracle E-business Suite 11.5.5

  • Oracle E-business Suite 11.5.6

  • Oracle E-business Suite 11.5.7

  • Oracle E-business Suite 11.5.8

  • Oracle E-business Suite 11.5.9

  • Oracle Enterprise Manager 9

  • Oracle Enterprise Manager 9.0.1

  • Oracle Enterprise Manager Database Control 10.1.2

  • Oracle Enterprise Manager Grid Control 10.1.0.2

  • Oracle10g Enterprise 10.1.0.2

  • Oracle10g Enterprise 9.0.4 .0

  • Oracle10g Personal 10.1 .0.2

  • Oracle10g Personal 9.0.4 .0

  • Oracle10g Standard 10.1 .0.2

  • Oracle10g Standard 9.0.4 .0

  • Oracle8i Enterprise 8.0.5 .0.0

  • Oracle8i Enterprise 8.0.6 .0.0

  • Oracle8i Enterprise 8.0.6 .0.1

  • Oracle8i Enterprise 8.1.5 .0.0

  • Oracle8i Enterprise 8.1.5 .0.2

  • Oracle8i Enterprise 8.1.5 .1.0

  • Oracle8i Enterprise 8.1.6 .0.0

  • Oracle8i Enterprise 8.1.6 .1.0

  • Oracle8i Enterprise 8.1.7 .0.0

  • Oracle8i Enterprise 8.1.7 .1.0

  • Oracle8i Enterprise 8.1.7 .4

  • Oracle8i Standard 8.0.6

  • Oracle8i Standard 8.0.6 .3

  • Oracle8i Standard 8.1.5

  • Oracle8i Standard 8.1.6

  • Oracle8i Standard 8.1.7

  • Oracle8i Standard 8.1.7 .0.0

  • Oracle8i Standard 8.1.7 .1

  • Oracle8i Standard 8.1.7 .4

  • Oracle9i Client 9.2.0.1

  • Oracle9i Client 9.2.0.2

  • Oracle9i Enterprise 8.1.7

  • Oracle9i Enterprise 9.0.1

  • Oracle9i Enterprise 9.0.1.4

  • Oracle9i Enterprise 9.0.1.5

  • Oracle9i Enterprise 9.2.0

  • Oracle9i Enterprise 9.2.0.1

  • Oracle9i Enterprise 9.2.0.2

  • Oracle9i Enterprise 9.2.0.3

  • Oracle9i Enterprise 9.2.0.4

  • Oracle9i Enterprise 9.2.0.5

  • Oracle9i Personal 8.1.7

  • Oracle9i Personal 9.0.1

  • Oracle9i Personal 9.0.1.4

  • Oracle9i Personal 9.0.1.5

  • Oracle9i Personal 9.2

  • Oracle9i Personal 9.2.0.1

  • Oracle9i Personal 9.2.0.2

  • Oracle9i Personal 9.2.0.3

  • Oracle9i Personal 9.2.0.4

  • Oracle9i Personal 9.2.0.5

  • Oracle9i Standard 8.1.7

  • Oracle9i Standard 9.0

  • Oracle9i Standard 9.0.1

  • Oracle9i Standard 9.0.1.2

  • Oracle9i Standard 9.0.1.3

  • Oracle9i Standard 9.0.1.4

  • Oracle9i Standard 9.0.1.5

  • Oracle9i Standard 9.0.2

  • Oracle9i Standard 9.2

  • Oracle9i Standard 9.2.0.1

  • Oracle9i Standard 9.2.0.2

  • Oracle9i Standard 9.2.0.3

  • Oracle9i Standard 9.2.0.4

  • Oracle9i Standard 9.2.0.5


References

CERT - TA04-245A

CERT-VN - VU#435974

XF - oracle-character-conversion-gain-privileges(18657)

BID - 10871

CONFIRM - http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

MISC - http://www.ngssoftware.com/advisories/oracle23122004G.txt

BUGTRAQ - 20041223 Oracle Character Conversion Bugs (#NISR2122004G)

SUNALERT - 101782


Last Updated: 27 May 2016 10:39:00