NI3
11-04-2003, 03:40 PM
TITLE:
Oracle9i Application Server Portal Component SQL Injection
Vulnerability
SECUNIA ADVISORY ID:
SA10130
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information
WHERE:
From remote
SOFTWARE:
Oracle 9i Application Server
DESCRIPTION:
A vulnerability has been identified in Oracle9i Application Server,
which can be exploited by malicious people to gain knowledge of
sensitive information.
The vulnerability is caused due to an input validation error in the
Portal component when handling user input supplied to the Oracle9i
Application Server Data Dictionary tables. This can be exploited via
SQL injection attacks to gain knowledge of user data.
The following products are affected:
* Oracle9i Application Server Portal Release 1, v3.0.9.8.5 (and
prior)
* Oracle9i Application Server Portal Release 2, v9.0.2.3.0 (and
prior)
SOLUTION:
Version 9.0.2.6 and later are not vulnerable.
Patches have been released for v9.0.2.3.0 and v3.0.9.8.5. These are
available at the Metalink site (see original advisory for a patch
matrix).
[Only registered and activated users can see links]
REPORTED BY / CREDITS:
David Litchfield
ORIGINAL ADVISORY:
[Only registered and activated users can see links]
----------------------------------------------------------------------
Oracle9i Application Server Portal Component SQL Injection
Vulnerability
SECUNIA ADVISORY ID:
SA10130
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information
WHERE:
From remote
SOFTWARE:
Oracle 9i Application Server
DESCRIPTION:
A vulnerability has been identified in Oracle9i Application Server,
which can be exploited by malicious people to gain knowledge of
sensitive information.
The vulnerability is caused due to an input validation error in the
Portal component when handling user input supplied to the Oracle9i
Application Server Data Dictionary tables. This can be exploited via
SQL injection attacks to gain knowledge of user data.
The following products are affected:
* Oracle9i Application Server Portal Release 1, v3.0.9.8.5 (and
prior)
* Oracle9i Application Server Portal Release 2, v9.0.2.3.0 (and
prior)
SOLUTION:
Version 9.0.2.6 and later are not vulnerable.
Patches have been released for v9.0.2.3.0 and v3.0.9.8.5. These are
available at the Metalink site (see original advisory for a patch
matrix).
[Only registered and activated users can see links]
REPORTED BY / CREDITS:
David Litchfield
ORIGINAL ADVISORY:
[Only registered and activated users can see links]
----------------------------------------------------------------------