CVE-2006-5340 - Ungirthed Split
Description
Multiple unspecified vulnerabilities in Oracle Spatial component in Oracle Database 8.1.7.4 9.0.1.5 9.2.0.8 10.1.0.5 and 10.2.0.2 have unknown impact and remote authenticated attack vectors related to (1) mdsys.sdo_lrs aka Vuln DB13 and (2) Vuln DB17. NOTE: as of 20061023 Oracle has not disputed reports from reliable third parties that DB13 is related to bypassing input validation for SQL injection related to convert_to_lrs_layer and dbms_assert and DB17 is related to SQL injection in the trigger in the SDO_DROP_USER package.
Reference
http://www.securityfocus.com/bid/20588 http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html http://www.us-cert.gov/cas/techalerts/TA06-291A.html http://securitytracker.com/id?1017077 http://secunia.com/advisories/22396 http://archive.cert.uni-stuttgart.de/archive/bugtraq/2006/07/msg00489.html http://archive.cert.uni-stuttgart.de/archive/bugtraq/2006/07/msg00500.html http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf http://www.red-database-security.com/wp/bypass_dbms_assert.pdf http://www.kb.cert.org/vuls/id/869292 http://www.vupen.com/english/advisories/2006/4065 http://www.oracle.com/technetwork/topics/security/cpuoct2006-095368.html http://www.securityfocus.com/archive/1/449711/100/0/threaded http://www.securityfocus.com/archive/1/449512/100/0/threaded http://www.securityfocus.com/archive/1/449110/100/0/threaded