Oracle Applications Oracle Forms SQL Injection Vulnerability
BID:13134
Info
Oracle Applications Oracle Forms SQL Injection Vulnerability
| Bugtraq ID: | 13134 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 12 2005 12:00AM |
| Updated: | Apr 12 2005 12:00AM |
| Credit: | Discovery is credited to Alexander Kornbrust <[email protected]>. |
| Vulnerable: |
Oracle Applications 11i 11.5.9 Oracle Applications 11i 11.5 Oracle Applications 11.0 Oracle Applications 10.7 |
| Not Vulnerable: | |
Discussion
Oracle Applications Oracle Forms SQL Injection Vulnerability
Oracle Forms is prone to an SQL injection vulnerability. This issue arises due to insufficient sanitization of user-supplied data.
It is reported that this issue exists in an Oracle Forms feature called 'Query/Where', which allows users to modify existing SQL statements.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
This issue is one of the issues described in BID 13139 (Oracle Multiple Vulnerabilities).
Oracle Forms is prone to an SQL injection vulnerability. This issue arises due to insufficient sanitization of user-supplied data.
It is reported that this issue exists in an Oracle Forms feature called 'Query/Where', which allows users to modify existing SQL statements.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
This issue is one of the issues described in BID 13139 (Oracle Multiple Vulnerabilities).
Exploit / POC
Oracle Applications Oracle Forms SQL Injection Vulnerability
An exploit is not required.
An exploit is not required.
Solution / Fix
Oracle Applications Oracle Forms SQL Injection Vulnerability
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address this and other issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update in references.
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address this and other issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update in references.
References
Oracle Applications Oracle Forms SQL Injection Vulnerability
References:
References:
- Critical Patch Update - April 2005 (Oracle)
- Oracle Homepage (Oracle)
- SQL Injection in Oracle Forms V1.00 (Red-Database-Security GmbH)