lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 23 Oct 2006 18:44:00 +0200
From: "Alexander Kornbrust" <ak@...-database-security.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: SQL Injection Vulnerability in Oracle
	WWV_FLOW_UTILITIES

Name		SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
Systems 	Affected Oracle APEX/HTMLDB
Severity   	High Risk
Category   	SQL Injection
Vendor URL 	http://www.oracle.com/
Author 	Alexander Kornbrust (ak at red-database-security.com)
Date 	      18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_apex_sql_injection_wwv_
flow_utilities.html

Details
#######
The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL

injection vulnerability. Depending of the APEX application it is possible 
to inject custom SQL statements. The entire SQL statement is accessible from

the URL in the parameter P_LOV. To protect the SELECT statement in the URL 
Oracle is using a MD5 checksum. By modifying the SQL statement and
recalculating 
the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements 
from the URL.

Sample URL
###########
http://apex:7777/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filter=&p_na
me=p_t02&p_element_index=1&p_hidden_elem_name=p_t01&p_form_index=0&p_max_ele
ments=&p_escape_html=&p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session
_id=15108399238201864297&p_eval_value=&p_return_key=YES&p_translation=N&p_lo
v=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_first_name%20d%2C%20cu
stomer_id%20r%20from%20demo_customers%20order%20by%20cust_last_name&p_lov_ch
ecksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064



Affected Products
#################
This bug is fixed with 2.2 of APEX which is not part of the Critical Patch 
Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation

to 2.2 or better 2.2.1.

Patches are currently not available for Oracle Application Express.

Patch Information
#################
This bug is fixed with Apex 2.2 or higher.



History
#######
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006 and recommends to update to
2.2.1
18-oct-2006 Red-Database-Security published this advisory


Additional Information
######################
An analysis of the Oracle CPU Oct 2006 is available here
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ