lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed Sep 14 22:25:50 2005
From: ak at red-database-security.com (Kornbrust, Alexander)
Subject: Oracle Reports: Generic SQL Injection
	Vulnerability via Lexical References

########################################################################
####
Red-Database-Security GmbH  - Oracle Reports Security Advisory

Generic SQL Injection Vulnerability in Oracle Reports via Lexical
References

 Name                Generic SQL Injection Vulnerability in Oracle
Reports 
                     via Lexical References
 Systems Affected    Generated Oracle Reports using Lexical References
 Severity            High Risk 
 Category            SQL Injection
 Remote Exploitable  Yes
 Vendor URL          http://www.oracle.com 
 Author              Alexander Kornbrust (ak at
red-database-security.com) 
 Date                15 September 2005 (V 1.00) 
 Advisory-URL        
 http://www.red-database-security.com/wp/sql_injection_reports_us.pdf

 

Details
#######
Oracle Reports provides a feature called lexical references. A lexical 
reference is a placeholder for text that you embed in a SELECT
statement. 
It is possible to replace the clauses appearing after SELECT, FROM,
WHERE, 
GROUP BY, ORDER BY, HAVING, CONNECT BY and START WITH.

If lexical references are in use it is possible to modify SQL statements
via a simple URL. After adding the parameter "paramform=yes" in the URL
a parameter form window appears (=SQL Injection with a menu). 

An attacker can modify the parameter values and inject SQL statements.



Testcase
########
Executed an Oracle Report via an URL, e.g.
http://myserver:8889/reports/rwservlet?report=sqlinject3.rdf+userid=scot
t/tiger@...9206+destype=CACHE+desformat=HTML 

Add the value paramform=yes to the URL
http://myserver:8889/reports/rwservlet?report=sqlinject3.rdf+userid=scot
t/tiger@...9206+destype=CACHE+desformat=HTML+paramform=yes 

A parameter window appears. Inject the SQL statement by modifying the
values
in the parameter form and submit the query.


A detailed description including hardcopies is available in the PDF
advisory:

http://www.red-database-security.com/wp/sql_injection_reports_us.pdf
(English)
http://www.red-database-security.com/wp/sql_injection_reports_dt.pdf
(German)



Affected systems
################
All generated reports using lexical references without input validation.



Patch Information
#################
This issue is not a bug in Oracle Reports itself. It is a problem of
missing input validation in all generated Oracle Reports.



Fix
###
Validate all parameter values before the SQL statement is executed in an

After-Parameter-Form-Trigger.



History
#######
14-may-2004 Oracle secalert was informed to give them time to fix their
reports in the E-Business Suite.

15-sep-2005 Red-Database-Security published this advisory



(c) 2005 by Red-Database-Security GmbH
http://www.red-database-security.com

Powered by blists - more mailing lists