Application Security, Inc.
home client login partner login online store contact us
search:
Solutions Products Partners Support News & Events About Us

Security Updates - ASAP™ Updates
(Application Security Automatic Protection)

AppDetective™ Update 2.5.22 - 23 April 2002

NEW CHECKS

Oracle (Pen Test and Audit)

Title: ANSI join syntax bypasses object privileges

Description: Verify that the patch has been installed to prevent ANSI joins from bypassing object privileges.

Summary: Oracle9i added support for ANSI compliant joins to meet the ANSI SQL99 standard. Due to a bug in the query processor in Oracle9i Release 1, queries which use the ANSI compliant join syntax bypass the access control mechanism in Oracle. This allows a non-privileged account to access any data in the database.

Microsoft SQL Server (Pen Test and Audit)

Title: xp_sqlagent_param buffer overflow

Description: Check that the hotfix has been applied to fix the xp_sqlagent_param buffer overflow.

Summary: The extended stored procedure xp_sqlagent_param contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_sqlagent_param does not properly handle a long string.

Return to ASAP™ Updates Listing
 
Contact Us | Privacy | Sitemap | Legal
sales@appsecinc.com | support@appsecinc.com 		Call us toll free at: 1-866-927-7732 | FAX: 1-212-947-8788
. Application Security, Inc. All Rights Reserved