TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
668
any user on the application server. An attacker can upload a report executable via WebDav. The attacker could then
send a specially-crafted report parameter to cause the server to execute the malicious file onto the targeted user's
system. The file will be executed with Oracle user privileges on a Unix operating system and with SYSTEM privileges
on a Windows-based system. No patch information is available but some workarounds are suggested. Allowing only
trusted users access to Oracle Reports may reduce the chances of exploitation. This signature detects attack traffic on
TCP ports 8888 and 8889.
Signature ID: 30068
Oracle Reports Server desname Parameter File Overwrite Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2371
Bugtraq: 14309
Signature Description: Oracle Reports is an enterprise reporting tool that extracts data from multiple sources and
inserts it into a formatted report. Oracle Reports Server versions 6.0, 6i, 9i, and 10g could allow a remote attacker to
overwrite arbitrary files on the system. Remote attacker can send a specially-crafted desname parameter to overwrite
any files on the application server. Apply the critical patch update released in Jan 2006 by Oracle. This signature
detects attacks using ascii characters and attack packets sending to the range of 7777-7787.
Signature ID: 30069
Oracle Reports Server desname Parameter File Overwrite Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2371 Bugtraq: 14309
Signature Description: Oracle Reports is an enterprise reporting tool that extracts data from multiple sources and
inserts it into a formatted report. Oracle Reports Server versions 6.0, 6i, 9i, and 10g could allow a remote attacker to
overwrite arbitrary files on the system. Remote attacker can send a specially-crafted desname parameter to overwrite
any files on the application server. Apply the critical patch update released in Jan 2006 by Oracle. This signature
detects attacks using ascii characters and attack packets sending to the range of 8888-8889.
Signature ID: 30070
Microsoft Visual Studio WmiScriptUtils.dll Cross-Zone Scripting Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-4704 Bugtraq: 20843
Signature Description: The vulnerability exists in the Microsoft WMIScriptUtils.WMIObjectBroker2 ActiveX control
which is bundled with Visual Studio 2005. An attacker can utilize this control to bypass Internet zone security
restrictions and instantiate other dangerous objects that can be leveraged to result in arbitrary code execution. This
signature detects attacks using PROGID.
Signature ID: 30071
Microsoft Visual Studio WmiScriptUtils.dll Cross-Zone Scripting Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-4704 Bugtraq: 20843
Signature Description: The vulnerability exists in the Microsoft WMIScriptUtils.WMIObjectBroker2 ActiveX control
which is bundled with Visual Studio 2005. An attacker can utilize this control to bypass Internet zone security
restrictions and instantiate other dangerous objects that can be leveraged to result in arbitrary code execution. This
signature detects attacks using CLSID.
Signature ID: 30072
Oracle HTTP Server mod_access Security Restriction Bypass Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-1383 Bugtraq: 13418