|
|
|
|
| |
| Oracle's RDBMS, a leading database server package, supports stored packages and procedures using PL/SQL. These packages and procedures can be accessed through Oracle's Application Server's Portal module. Oracle Application Server is a web server designed for Oracle applications. Many of the PL/SQL packages and procedures are vulnerable to SQL Injection. Using these vulnerabilities, an unauthenticated attacker can gain access to all data in the database from the Internet. |
| |
Credit:
The information has been provided by David Litchfield.
|
| |
By default, Oracle Application Server allows unauthenticated users on the web to access PL/SQL packages and procedures stored in the RDBMS. When a PL/SQL procedure is executed, it either does so with the security rights of the invoker or the definer. In the latter case, if a PL/SQL procedure defined by the powerful 'SYS' or 'SYSTEM' login is executed by a low privileged user that user can access data they would not directly be able to access. By executing such a procedure via Oracle Application Server and with these SQL Injection vulnerabilities, it is possible for an attacker to gain access to all data within the database. For example, an attacker could gain access to account details including database usernames and password hashes. Whilst there are some vulnerable packages that do allow this level of access, most do not. Those known to be vulnerable include the packages used for Portal DB Forms, Hierarchy, XML Components, and List of Values. All of the packages are required by the RDBMS so they cannot be deleted.
Fix Information:
NGSSoftware alerted Oracle to these vulnerabilities between September and October 2002, last year. Oracle has reviewed the code of the PL/SQL Packages and procedures and fixed these issues. A patch is available from Metalink. Please see http://otn.oracle.com/deploy/security/pdf/2003alert61.pdf for more details.
NGSSoftware advise Oracle database customers to review and install the patch as a matter of urgency.
|
|
|
|
|
|
|
|
|
|
