AppDetective™ Update 2.5.67 - 15 August 2002

NEW CHECKS

Oracle (Pen Test/Security Audit)

Title: Listener format string buffer overflow
Summary: The listener process loads and parses the file listener.ora at startup. The listener process does not properly handle format strings placed in the file and if an attacker places a maliciously-crafted format string in the file, the listener process will overwrite the stack and possible execute arbitrary code.

Title: Listener debug DoS
Summary: When an invalid value for the undocumented command "debug" is sent to the listener service, the listener service crashes. This bug allows an unauthenticated user to prevent access to the database.

Title: Brute-force database username
Summary: A database username has been discovered. By modifying the login sequence, an attacker can detect whether an account name exists or not. This allows the attacker to collect a list of valid users by trying all valid combinations of letters.

Title: Brute-force database password
Summary: One of the common methods used to attack a database is brute-forcing the passwords. This involves trying to connect to the database using every combination of letters up to a specified maximum length.

Title: Brute-force role password
Summary: If a weak password is selected for a role, the password can be discovered by brute-forcing the password. One of the common methods used to attack a database is brute-forcing the passwords. This involves trying to connect to the database using every combination of letters up to a specified maximum length.