lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1C09DF36EB7A3F489633C919E7413501150D20@mapibe09.exchange.xchg>
Date: Wed Jul 13 20:44:31 2005
From: ak at red-database-security.com (Kornbrust, Alexander)
Subject: Advisory: Oracle Forms Insecure Temporary File
	Handling

Red-Database-Security GmbH  - Oracle Security Advisory

Oracle Forms Insecure Temporary File Handling

 Name                Oracle Forms Insecure Temporary File Handling
 Systems Affected    Oracle Forms 4.5, 6.0, 6i, 9i
 Severity            Medium Risk 
 Category            Information disclosure
 Vendor URL          http://www.oracle.com 
 Author              Alexander Kornbrust (ak at
red-database-security.com) 
 Date                13 July 2005 (V 1.00) 
 Advisory            AKSEC2003-006
 Oracle Vuln#        AS04
 Time to fix         693 days
      
      

Details
#######
If the number of records in a Oracle Forms application retrieved from
the 
database exceeds the parameter "buffered records" Oracle Forms will
create 
a temp file located in the temp directory of the application server.
This 
temp file contains an unencrypted copy of the database table used in the
Forms 
application (e.g. creditcard). The default permission for these temp
files 
(format: AAAa<processid>.TMP) is -rw-rw-r--. Every UNIX user on the
application 
server can read the content of this file (e.g credit card information,
...).


Example
#######
ls -la /tmp
-rw-rw-r-- 1 oracle oinstall 47600 Aug 17 20:30 AAAa15400.TMP



Workaround
##########
Set the environment variable TMP, TEMP and TMPDIR to a secure location.
It depends on the OS of the application server what environment variable
will be used.

Delete old AAA* files on a regular basis.



Patch Information
##################
Apply patches for the application server mentioned in Metalink Note
311038 .



History
#######
19-aug-2003 Oracle secalert_us was informed
20-aug-2003 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
13-jul-2005 Red-Database-Security published this advisory


(c) 2005 by Red-Database-Security GmbH

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ