|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
Team SHATTER Security Advisory
SQL Injection in Oracle Application Server (WWEXP_API_ENGINE)
Audust 4, 2008
Oracle Application Server 18.104.22.168, 10.1.2.2 and 10.1.4.1
Yes (No authentication required)
This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc.
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package has an instance of SQL Injection that allows attackers to create anonymous PL/SQL programs and execute any kind of PL/SQL statements. The statements are executed with the privileges of the PORTAL user, that has DBA privileges. The vulnerability can be exploited using a web application and without authentication.
Exploitation of this vulnerability allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via a vulnerable web site.
Vendor was contacted and a patch was released.
There is no workaround for this issue.
Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.
Vendor Notification - 1/3/2008
Vendor Response - 1/8/2008
Fix - 7/15/2008
Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----