-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Application Server (WWEXP_API_ENGINE) Audust 4, 2008 Risk Level: High Affected versions: Oracle Application Server 9.0.4.3, 10.1.2.2 and 10.1.4.1 Remote exploitable: Yes (No authentication required) Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package has an instance of SQL Injection that allows attackers to create anonymous PL/SQL programs and execute any kind of PL/SQL statements. The statements are executed with the privileges of the PORTAL user, that has DBA privileges. The vulnerability can be exploited using a web application and without authentication. Impact: Exploitation of this vulnerability allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via a vulnerable web site. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html Timeline: Vendor Notification - 1/3/2008 Vendor Response - 1/8/2008 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXK0EACgkQ9EOAcmTuFN0XTACfVffmDNUHutUYu0+5G5zks/tG m3cAn2pILpcdBbr1Rql7zwerfEjMi9m4 =72Cl -----END PGP SIGNATURE-----
