Improper Character Conversion in Oracle HTTP Server Affects Oracle Application Server 10g
CVE-2004-1362

Currently unrated

Key Information:

Vendor: Oracle
Status: Oracle10g; Oracle8i; Oracle9i; Collaboration Suite
Vendor: CVE Published:; 4 August 2004

Summary

The PL/SQL module within the Oracle HTTP Server for Oracle Application Server 10g is susceptible to an improper character conversion vulnerability. This flaw arises when using the WE8ISO8859P1 character set, which fails to properly convert encoded URLs. By exploiting this vulnerability, attackers can bypass access restrictions on specific procedures by sending %FF encoded sequences that are incorrectly transformed into 'Y' characters. This oversight may permit unauthorized access, necessitating prompt attention to mitigate potential risks.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/18657

vdb-entryx_refsource_XF

http://www.kb.cert.org/vuls/id/435974

third-party-advisoryx_refsource_CERT-VN

http://www.us-cert.gov/cas/techalerts/TA04-245A.html

third-party-advisoryx_refsource_CERT

Timeline

Vulnerability Reserved
Jan 7, 2005
Vulnerability published
Aug 4, 2004