lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Apr 2009 23:43:43 -0600 From: ak@...-database-security.com To: bugtraq@...urityfocus.com Subject: Unprivileged DB users can see APEX password hashes Name Unprivileged DB users can see APEX password hashes Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) Severity High Risk Category Password Disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) CVE CVE-2009-0981 Advisory 14 April 2009 (V 1.00) Details: Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER. SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS USER_NAME WEB_PASSWORD2 ---------------------------------------------------------------------- YURI 141FA790354FB6C72802FDEA86353F31 This password hash can be checked using a tool like Repscan. Additional information is available in the following advisory. Advisory: http://www.red-database-security.com/advisory/apex_password_hashes.html Patch Information: Upgrade to Oracle APEX 3.2. Verification: Our Oracle database scanner Repscan was updated with the information from the Oracle CPU April 2009 and can identify vulnerable databases. More Information about Repscan can be found here: http://www.sentrigo.com/repscan History: 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published About Red-Database-Security: Red-Database-Security is the leading company for Oracle security. Within the last 6 years we reported several hundred vulnerabilities to Oracle. -- (c) 2009 by Red-Database-Security GmbH http://www.red-database-security.com
Powered by blists - more mailing lists