[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200904160543.n3G5hhO9022541@www3.securityfocus.com>
Date: Wed, 15 Apr 2009 23:43:43 -0600
From: ak@...-database-security.com
To: bugtraq@...urityfocus.com
Subject: Unprivileged DB users can see APEX password hashes
Name Unprivileged DB users can see APEX password hashes
Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation)
Severity High Risk
Category Password Disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2009-0981
Advisory 14 April 2009 (V 1.00)
Details:
Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.
SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS
USER_NAME WEB_PASSWORD2
----------------------------------------------------------------------
YURI 141FA790354FB6C72802FDEA86353F31
This password hash can be checked using a tool like Repscan.
Additional information is available in the following advisory.
Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html
Patch Information:
Upgrade to Oracle APEX 3.2.
Verification:
Our Oracle database scanner Repscan was updated with the information from the Oracle
CPU April 2009 and can identify vulnerable databases.
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan
History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published
About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the last
6 years we reported several hundred vulnerabilities to Oracle.
--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com
Powered by blists - more mailing lists