Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

SQL Injection in PORTAL.WPG_SESSION

August 3, 2005

To determine if you are vulnerable to this attack, download AppDetective from http://www.appsecinc.com/products/appdetective/oracle

Risk level: Medium

Credits: This vulnerability was discovered and researched by Aaron Newman for Application Security, Inc.

Affected versions:
All versions of Oracle Database Server

Background:
Oracle contains a large number of built-in PL/SQL packages. These packages contain code which typically execute under the privileges of the package owner. Package owners usually possess elevated privileges resulting in potential security problems. The PL/SQL package ORASSO.WPG_SESSION contains a function called init which contains an instance of SQL injection.

The PL/SQL package OWF_MGR.WF_EVENT_HTML contains a function called EventQueueDisplay which contains an instance of SQL injection.

Details:
By default, EXECUTE permissions on the WPG_SESSION package is granted to PUBLIC and the package is owned by the PORTAL schema. This results in any commands executed by the procedure executing under the elevated privileges of the PORTAL user.

The PORTAL schema contains code used by the Oracle Portal system. This user has been granted the DBA role.

The function init in this package accesses a structure called wwctx_api.get_nls_language. The function pulls out the language and territory values and then executes the following commands with these values:

execute immediate 'alter session set nls_language = "' || l_language || '" nls_territory = "' || l_territory || '"';

The use of execute immediate results in a possible SQL injection attack if the attacker has privileges to set the language and territory values. Although performing this SQL injection may depend on several other factors, it is highly recommended you revoke EXECUTE permissions from PUBLIC on this package.

Impact:
Attackers can execute SQL under the privileges of PORTAL user, a DBA.

Workaround:
Revoke the EXECUTE privileges on this package from the PUBLIC role. To revoke the privilege run the following command:
REVOKE EXECUTE ON PORTAL.WPG_SESSION FROM PUBLIC

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the Critical Patch Update - July 2005 patches.
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Oracle Advisory: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html