[23949] in bugtraq
"Dec. 6: Oracle server vulnerable on Unix"
daemon@ATHENA.MIT.EDU (Elan Hasson)
Tue Jan 22 17:28:05 2002
From: "Elan Hasson" <elan@daryl.org>
To: <bugtraq@securityfocus.com>
Date: Tue, 22 Jan 2002 10:12:28 -0500
Message-ID: <AKEEKGDHBDNGMKLFCHLEGEMMCBAA.elan@daryl.org>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Not sure if this was discussed on the list(i didn't see it), but saw this on
msnbc.com today:
http://www.msnbc.com/news/668334.asp
"Dec. 6: Oracle server vulnerable on Unix"
"The Oracle database server has a security vulnerability on Unix operating
systems. The problem occurs when a non-privileged user like “nobody” runs
the Oracle executable which has a SETUID bit. This can result in the
non-privileged user overwriting Oracle log files, creating new files, and/or
changing the ORACLE_HOME environment variable. For a workaround remove the
execute permissions for the ‘other’ group: %chmod o-x oracle. Affected
versions: 8.0.x, 8.1.x, 9.0.1."
also linked to http://www.msnbc.com/news/BUGOFTHEDAY_Front.asp
Sorry if this has already been discussed.
