The remote Microsoft SQL server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content.

*** This alert might be a false positive.

Detects Vulnerability in the execution of JSPs outside doc_root.

A potential security vulnerability has been discovered in Oracle JSP releases 1.0.x through 1.1.1 (in Apache/Jserv). This vulnerability permits access to and execution of unintended JSP files outside the doc_root in Apache/Jserv. For example, accessing http://www.example.com/a.jsp//..//..//..//..//..//../b.jsp will execute b.jsp outside the doc_root instead of a.jsp if there is a b.jsp file in the matching directory.

Further, Jserv Releases 1.0.x - 1.0.2 have additional vulnerability:

Due to a bug in Apache/Jserv path translation, any URL that looks like:
http://host:port/servlets/a.jsp, makes Oracle JSP execute 'd:\servlets\a.jsp' if such a directory path actually exists. Thus, a URL virtual path, an actual directory path and the Oracle JSP name (when using Oracle Apache/JServ) must match for this potential vulnerability to occur.

Vulnerable systems:
Oracle8i Release 8.1.7, iAS Release version 1.0.2 Oracle JSP, Apache/JServ Releases version 1.0.x - 1.1.1

It was possible to crash the IBM DB2 database service by connecting to the affected service and sending just one byte to it.

The SQL Server has a common password for one or more accounts. These accounts may be used to gain access to the records in the database or even allow remote command execution.

It is possible to read the contents of the XSQLConfig.xml file which contains sensitive information.

In a default installation of Oracle 9iAS, it is possible to use the mod_plsql module to perform a directory traversal attack. This allows attackers to read arbitrary files on the server.

In a default installation of Oracle 9iAS it is possible to read the source of JSP files. When a JSP is requested it is compiled 'on the fly' and the resulting HTML page is returned to the user. Oracle 9iAS uses a folder to hold the intermediate files during compilation. These files are created in the same folder in which the .JSP page resides. Hence, it is possible to access the .java and compiled .class files for a given JSP page.

The remote host is an Oracle 9iAS server. By default, accessing the location /oprocmgr-status via HTTP lets an attacker obtain the list of processes running on the remote host, and even to to start or stop them.

In the default configuration of Oracle 9iAS, it is possible to make requests for the globals.jsa file for a given web application. These files should not be returned by the server as they often contain sensitive information such as database credentials.

In a default installation of Oracle 9iAS, it is possible to access the mod_plsql DAD Admin interface. Access to these pages should be restricted.

In a default installation of Oracle 9iAS, it is possible to access the Dynamic Monitoring Services pages anonymously. Access to these pages should be restricted.

Oracle 9i Application Server uses Apache as it's web server. There is a buffer overflow in the mod_plsql module which allows an attacker to run arbitrary code.

According to its version, the version of OracleWebCache installed on the remote host is affected by denial of service vulnerability. A remote attacker may exploit this vulnerability to crash the remote service.

The remote host is running MySQL, an open source database server.

Microsoft SQL server has a function wherein remote users can query the database server for the version that is being run.  The query takes place over the same UDP port that handles the mapping of multiple SQL server instances on the same machine. 

It is important to note that, after Version 8.00.194, Microsoft decided not to update this function.  This means that the data returned by the SQL ping is inaccurate for newer releases of SQL Server.

The remote instance of MS SQL / SQL Server has the default 'sa' account enabled without any password. 

An attacker may leverage this flaw to execute commands against the remote host, as well as read the content of any databases it might have.

The remote Oracle Listener Program (tnslsnr) has no password assigned. An attacker may use this fact to shut it down arbitrarily, thus preventing legitimate users from using it.

The remote host is running the Oracle tnslsnr service, a network interface to Oracle databases.  This product allows a remote user to determine the presence and version number of a given Oracle installation.

It may be possible to make a web server execute arbitrary code by sending it a too long url starting with /jsp/ For example: GET /jsp/AAAA.....AAAAA

The installed version of MySQL is older than version 3.23.36. Such versions are potentially affected by multiple vulnerabilities :  

  - It is possible to modify arbitrary files and gain     privileges by creating a database with '..' characters.
    (CVE-2001-0407)

  - Users with a MySQL account can use the 'SHOW GRANTS'     command to obtain the encrypted administrator password     from the 'mysql.user' table. (CVE-2001-1275)

  - Local users can modify passwords for arbitrary MySQL     users via the 'GRANT' privilege. (CVE-2000-0045)

One of the sample applications that comes with the Oracle XSQL Servlet  allows an attacker to make arbitrary queries to the Oracle database (under an unprivileged account). Whilst not allowing an attacker to delete or modify database contents, this flaw can be used to enumerate database users and view table names.

The Oracle XSQL Servlet allows arbitrary Java code to be executed by an attacker by supplying the URL of a malicious XSLT stylesheet when making a request to an XSQL page.

It is possible to connect to the remote PostgreSQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.

It is possible to connect to the remote MySQL database server using an unpassworded account.  This may allow an attacker to launch further attacks against the database.

The remote version of MySQL is older than (or as old as) version 3.22.30 or 3.23.10.  Thus, it may allow attacker who knows a valid username to access database tables without a valid password.

The remote Microsoft SQL server can be shut down when it is sent a TCP packet containing more than 2 NULLs.

An attacker may use this problem to prevent it from being used by legitimate clients, thus threatening your business.

It was possible to make the remote web server crash by supplying a too long argument to the cgi /ews-bin/fnord. An attacker may use this flaw to prevent your customers to access your website.

ID	Name	Severity
11067	Microsoft SQL Server Authentication Function Remote Overflow	high
10925	Oracle JSP Apache/Jserv Path Translation Arbitrary JSP File Execution	medium
10871	IBM DB2 Multiple CGI Single Byte Request Remote DoS	medium
10862	Microsoft SQL Server Default Credentials	critical
10855	Oracle Application Server XSQLServlet XSQLConfig.xml Information Disclosure	low
10854	Oracle 9iAS mod_plsql Encoded Traversal Arbitrary File Access	medium
10852	Oracle 9iAS _pages Directory Compiled JSP Source Disclosure	medium
10851	Oracle 9iAS Java Process Manager /oprocmgr-status Anonymous Process Manipulation	medium
10850	Oracle 9iAS globals.jsa Database Credential Remote Disclosure	medium
10849	Oracle 9iAS mod_plsql DAD Admin Interface Access	medium
10848	Oracle 9iAS DMS / JPM Pages Anonymous Access	medium
10840	Oracle 9iAS mod_plsql Help Page Request Remote Overflow	high
10808	Oracle Application Server Web Cache Multiple Remote DoS	medium
10719	MySQL Server Detection	info
10674	Microsoft SQL Server UDP Query Remote Version Disclosure	info
10673	Microsoft SQL Server sa Account Default Blank Password	critical
10660	Oracle Database Listener Program (tnslsnr) Service Blank Password	medium
10658	Oracle Database tnslsnr Service Remote Version Disclosure	info
10654	Oracle Application Server ndwfn4.so HTTP Request Remote Overflow	high
10626	MySQL < 3.23.36 Multiple Vulnerabilities	high
10613	Oracle XSQL query.xsql sql Parameter SQL Injection	medium
10594	Oracle Application Server XSQL Stylesheet Arbitrary Java Code Execution	high
10483	PostgreSQL Default Unpassworded Account	high
10481	MySQL Unpassworded Account Check	high
10343	MySQL Short Check String Authentication Bypass	high
10145	MS99-059: Microsoft SQL Server Crafted TCP Packet Remote DoS (uncredentialed check)	medium
10171	Oracle Webserver PL/SQL Stored Procedure GET Request DoS	medium

Detections

Analytics

Databases Family for Nessus

high

medium

medium

critical

low

medium

medium

medium

medium

medium

medium

high

medium

info

info

critical

medium

info

high

high

medium

high

high

high

high

medium

medium