|
SQL Injection in Oracle Application Server (WWEXP_API_ENGINE)
July 29, 2008
Risk Level:
High
Affected versions:
Oracle Application Server 9.0.4.3, 10.1.2.2 and 10.1.4.1
Remote exploitable:
Yes (No authentication required)
Credits:
This vulnerability was
discovered and
researched by Esteban
Martínez Fayó of Application
Security Inc.
Details:
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by
PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package
has an instance of SQL Injection that allows attackers to create anonymous PL/SQL
programs and execute any kind of PL/SQL statements. The statements are executed
with the privileges of the PORTAL user, that has DBA privileges. The vulnerability
can be exploited using a web application and without authentication.
Impact:
Exploitation of this
vulnerability allows an unauthenticated
attacker on the Internet
to gain full control of a backend Oracle database server via a
vulnerable web site.
Vendor Status:
Vendor was contacted and
a patch was released.
Workaround:
There is no workaround for this issue.
Fix:
Apply Oracle Critical
Patch Update July 2008
available at Oracle
Metalink.
Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
Timeline:
Vendor Notification - 1/3/2008
Vendor Response - 1/8/2008
Fix - 7/15/2008
Public Disclosure - 7/23/2008
|
