Bug hunter David Litchfield on Wednesday provided limited details on a new, unpatched security flaw in Oracle software. The problem lies in the PLSQL Gateway, a component of the Oracle Internet Application Server, the Oracle Application Server and the Oracle HTTP Server, he said in an e-mail to the BugTraq mailing list. Litchfield is co-founder of U.K.-based Next Generation Security Software and one of Oracle's most vocal critics.
The flaw can be exploited by an attacker to gain full administrator-level control of a database server through a Web server, Litchfield wrote. He provides a workaround in the mail so Oracle users can protect themselves against attacks. The flaw was reported to Oracle on Oct. 26. Litchfield had hoped that Oracle would provide a fix or a workaround on its recent patch release day. "They failed to do so," he wrote.
Be respectful, keep it civil and stay on topic. We delete comments that violate our policy, which we encourage you to read. Discussion threads can be closed at any time at our discretion.