CVE-2002-0569
https://notcve.org/view.php?id=CVE-2002-0569
Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet (XSQLServlet). • http://marc.info/?l=bugtraq&m=101301813117562&w=2 http://www.cert.org/advisories/CA-2002-08.html http://www.iss.net/security_center/static/8453.php http://www.kb.cert.org/vuls/id/977251 http://www.nextgenss.com/papers/hpoas.pdf http://www.securityfocus.com/bid/4298 •
CVE-2002-0559
https://notcve.org/view.php?id=CVE-2002-0559
Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via (1) a long help page request without a dadname, which overflows the resulting HTTP Location header, (2) a long HTTP request to the plsql module, (3) a long password in the HTTP Authorization, (4) a long Access Descriptor (DAD) password in the addadd form, or (5) a long cache directory name. • http://online.securityfocus.com/archive/1/254426 http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf http://www.cert.org/advisories/CA-2002-08.html http://www.kb.cert.org/vuls/id/313280 http://www.kb.cert.org/vuls/id/659043 http://www.kb.cert.org/vuls/id/750299 http://www.kb.cert.org/vuls/id/878603 http://www.kb.cert.org/vuls/id/923395 http://www.nextgenss.com/papers/hpoas.pdf http://www.securityfocus.com/bid/4032 https:// •
CVE-2002-0566
https://notcve.org/view.php?id=CVE-2002-0566
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to cause a denial of service (crash) via an HTTP Authorization header without an authentication type. • http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf http://www.cert.org/advisories/CA-2002-08.html http://www.kb.cert.org/vuls/id/805915 http://www.securityfocus.com/bid/4037 https://exchange.xforce.ibmcloud.com/vulnerabilities/8099 •
CVE-2002-0565
https://notcve.org/view.php?id=CVE-2002-0565
Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTTP request to _pages. • http://marc.info/?l=bugtraq&m=101301440005580&w=2 http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf http://www.cert.org/advisories/CA-2002-08.html http://www.kb.cert.org/vuls/id/547459 http://www.securityfocus.com/bid/4034 https://exchange.xforce.ibmcloud.com/vulnerabilities/8100 •
CVE-2002-0563
https://notcve.org/view.php?id=CVE-2002-0563
The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and (6) dms/AggreSpy; and Oracle Java Process Manager (7) oprocmgr-status and (8) oprocmgr-service, which can be used to control Java processes. • http://marc.info/?l=bugtraq&m=101301813117562&w=2 http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf http://securitytracker.com/id?1009167 http://www.appsecinc.com/Policy/PolicyCheck7024.html http://www.cert.org/advisories/CA-2002-08.html http://www.kb.cert.org/vuls/id/168795 http://www.nextgenss.com/papers/hpoas.pdf http://www.osvdb.org/13152 http://www.osvdb.org/705 http://www.securityfocus.com/bid/4293 https://exchange.xforce.ibmcloud.com • CWE-287: Improper Authentication •