Re: Recent Oracle exploit is _actually_ an 0day with no patch

The recent Oracle exploit posted to Bugtraq (http://www.securityfocus.com/archive/1/431353) is actually an 0day and has no patch. The referenced exploit seems to use GET_DOMAIN_INDEX_METADATA with a TYPE_NAME that references an attacker-defined package with a (modified?) ODCIIndexGetMeta

Secunia Research: Servant Salamander unacev2.dll Buffer Overflow Vulnerability

== Secunia Research 28/04/2006 - Servant Salamander unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() Syslog() Format String Vulnerability

--- [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() Syslog() Format String Vulnerability --- Author : Dedi Dwianto

WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability

WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability By Sowhat of Nevis Labs Date: 2006.04.28 http://www.nevisnetworks.com http://secway.org/advisory/AD20060428.txt CVE: N/A Vendor WinISO Computing Inc. EZB Systems, Inc. MagicISO Inc. PowerISO Computing, Inc. Affected

Cireos Portal Cross Site Scripting

#Aria-Security.net Advisory #Discovered by: O.u.t.l.a.w # www.Aria-security.net #Gr33t to: A.u.r.a [EMAIL PROTECTED] Smok3r #--- Software: SirceOS Operative Solutions Link: http://www.circeos.it Attack method: Cross Site Scripting

[Argeniss] Alert - Yahoo! Mail XSS vulnerability

Yahoo! Mail XSS vulnerability Description: Yahoo! Mail is a very insecure and free Web Mail service. It allows HTML messages but it has filters to avoid malicius script being executed on users browsers. On 17 April 2006 I received a message that when viewed it redirected to a fake Yahoo! Mail

Re: Recent Oracle exploit is _actually_ an 0day with no patch

David is right, we also have reported hundreds of vulnerabiities to Oracle and they only fix what you report to them, they don't care to fix the same vulnerability on different portions of code, one good example is that Oracle should have eliminated SQL injection bugs since long time ago but there

[Kurdish Security #3] CoolMenus Event Remote File Include Vulnerability (For PHP)

Original Advisory : http://kurdishsecurity.blogspot.com/2006/04/coolmenus-event-remote-file-include.html #ColMenus Event Remote File Include Vulnerability# #Website : http://coolmenus.dhtmlcentral.com/projects/coolmenus [Closed] #Script : CoolMenus v4.0 Event Script #Risk : High #Class :

[ GLSA 200604-18 ] Mozilla Suite: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200604-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - -

[Kurdish Security #2] Artmedic Event Remote File Include Vulnerability

Original Advisory : http://kurdishsecurity.blogspot.com/2006/04/artmedic-event-remote-file-include.html #Artmedic Event Remote File Include Vulnerability #Website : http://www.artmedic.de/ #Script : Artmedic Event Script #Risk : High #Class : Remote #Greetz : B3g0k,Nistiman,Flot,Netqurd

RE: Recent Oracle exploit is _actually_ an 0day with no patch

Cesar, David and Steve, I agree with your opinion. Oracle is not really fast fixing security issues. Currently I have 40+ OPEN/UNFIXED security issues in Oracle products. A detailed list from Oracle secalert (Report March 2006) can be found at the end of this email or (the latest version) on my

Re: Recent Oracle exploit is _actually_ an 0day with no patch

The recent Oracle exploit posted to Bugtraq (http://www.securityfocus.com/archive/1/431353) is actually an 0day and has no patch. The referenced exploit seems to use GET_DOMAIN_INDEX_METADATA with a TYPE_NAME that references an attacker-defined package with a (modified?) ODCIIndexGetMeta