lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <497331E3.4010108@secniche.org>
Date: Sun, 18 Jan 2009 19:12:59 +0530
From: Aditya K Sood <0kn0ck@...niche.org>
To: bugtraq@...urityfocus.com, submit@...w0rm.com, vuln@...unia.com,
	vuldb@...urityfocus.com, submit@...unia.com,
	submissions@...ketstormsecurity.org
Subject: Advisory: Oracle EBusiness Suite Sensitive Information Disclosure
 Vulnerability


Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2

CVE:
2008-5446

Description:
The oracle E Business including applications like I-Recruitment etc is
vulnerable to flaw which leads
to sensitive information disclosure about the deployment of oracle
application and server in a production
environment. The flaw persists in the E Business suite designed code
which allows malicious user to steal
sensitive information through "About Us Page" (shipped with E Business
Suite) by allowing guest access.
In addition to this a straight forward access is granted to attacker to
steal all the information which provide
potential attack surface for conducting stringent attacks.

The severity gets higher because the type of information is revealed.
This can be structured over two end points as:

1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.

Proof of Concept: Refer to the whitepaper for detail information
http://secniche.org/papers/orabs.pdf

Detection:
SecNiche confirmed this vulnerability affects the above oracle version
listed.

Disclosure Timeline:
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009

Links:
http://www.secniche.org/orabs.html
http://evilfingers.com/advisory/index.php

Vendor Response:
Oracle acknowledges this vulnerability and fix have been release in
critical advisory update of 13 January 2009

Oracle Critical Patch Update:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html


Credit:
Oracle Credited Aditya K Sood for discovering this vulnerability

Disclaimer:
The information in the advisory is believed to be accurate at the time
of publishing based on currently
available information. Use of the information constitutes acceptance for
use in an AS IS condition. There
is no representation or warranties, either express or implied by or with
respect to anything in this document,
and shall not be liable for a ny implied warranties of merchantability
or fitness for a particular purpose or for
any indirect special or consequential damages.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ