Oracle Database Multiple SQL Injection Vulnerabilities
BID:13144
Info
Oracle Database Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 13144 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 13 2005 12:00AM |
| Updated: | Apr 13 2005 12:00AM |
| Credit: | The issues were reported by Esteban Martinez Fayo <[email protected]>. |
| Vulnerable: |
Oracle Oracle9i Standard Edition 9.2 .6 Oracle Oracle9i Standard Edition 9.2 .3 Oracle Oracle9i Standard Edition 9.2 .0.5 Oracle Oracle9i Standard Edition 9.2 .0.3 Oracle Oracle9i Standard Edition 9.2 .0.2 Oracle Oracle9i Standard Edition 9.2 .0.1 Oracle Oracle9i Standard Edition 9.2 Oracle Oracle9i Standard Edition 9.0.4 Oracle Oracle9i Standard Edition 9.0.2 Oracle Oracle9i Standard Edition 9.0.1 .5 Oracle Oracle9i Standard Edition 9.0.1 .4 Oracle Oracle9i Standard Edition 9.0.1 .3 Oracle Oracle9i Standard Edition 9.0.1 .2 Oracle Oracle9i Standard Edition 9.0.1 Oracle Oracle9i Standard Edition 9.0 .2.4 Oracle Oracle9i Standard Edition 9.0 Oracle Oracle9i Standard Edition 8.1.7 Oracle Oracle9i Personal Edition 9.2 .6 Oracle Oracle9i Personal Edition 9.2 .0.5 Oracle Oracle9i Personal Edition 9.2 .0.3 Oracle Oracle9i Personal Edition 9.2 .0.2 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 Oracle Oracle9i Personal Edition 9.0.4 Oracle Oracle9i Personal Edition 9.0.1 .5 Oracle Oracle9i Personal Edition 9.0.1 .4 Oracle Oracle9i Personal Edition 9.0.1 Oracle Oracle9i Personal Edition 9.0 .2.4 Oracle Oracle9i Personal Edition 8.1.7 Oracle Oracle9i Enterprise Edition 9.2 .6.0 Oracle Oracle9i Enterprise Edition 9.2 .2 Oracle Oracle9i Enterprise Edition 9.2 .0.5 Oracle Oracle9i Enterprise Edition 9.2 .0.3 Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Enterprise Edition 9.2 .0 Oracle Oracle9i Enterprise Edition 9.0.4 Oracle Oracle9i Enterprise Edition 9.0.1 .5 Oracle Oracle9i Enterprise Edition 9.0.1 .4 Oracle Oracle9i Enterprise Edition 9.0.1 Oracle Oracle9i Enterprise Edition 9.0 .2.4 Oracle Oracle9i Enterprise Edition 8.1.7 Oracle Oracle9i Application Server 9.2 .0.6 Oracle Oracle9i Application Server 9.0.3 .1 Oracle Oracle9i Application Server 9.0.3 Oracle Oracle9i Application Server 9.0.2 .3 Oracle Oracle9i Application Server 9.0.2 .2 Oracle Oracle9i Application Server 9.0.2 .1 Oracle Oracle9i Application Server 9.0.2 .0.1 Oracle Oracle9i Application Server 9.0.2 .0.0 Oracle Oracle9i Application Server 9.0.2 Oracle Oracle9i Application Server 1.0.2 .2.2 Oracle Oracle9i Application Server 1.0.2 .2 Oracle Oracle9i Application Server 1.0.2 .1s Oracle Oracle9i Application Server 1.0.2 Oracle Oracle8i Standard Edition 8.1.7 .4 Oracle Oracle8i Standard Edition 8.1.7 .4 Oracle Oracle8i Standard Edition 8.1.7 .1 Oracle Oracle8i Standard Edition 8.1.7 .0.0 Oracle Oracle8i Standard Edition 8.1.7 Oracle Oracle8i Standard Edition 8.1.6 Oracle Oracle8i Standard Edition 8.1.5 Oracle Oracle8i Standard Edition 8.0.6 .3 Oracle Oracle8i Standard Edition 8.0.6 Oracle Oracle8i Enterprise Edition 8.1.7 .4.0 Oracle Oracle8i Enterprise Edition 8.1.7 .1.0 Oracle Oracle8i Enterprise Edition 8.1.7 .0.0 Oracle Oracle8i Enterprise Edition 8.1.6 .1.0 Oracle Oracle8i Enterprise Edition 8.1.6 .0.0 Oracle Oracle8i Enterprise Edition 8.1.5 .1.0 Oracle Oracle8i Enterprise Edition 8.1.5 .0.2 Oracle Oracle8i Enterprise Edition 8.1.5 .0.0 Oracle Oracle8i Enterprise Edition 8.0.6 .0.1 Oracle Oracle8i Enterprise Edition 8.0.6 .0.0 Oracle Oracle8i Enterprise Edition 8.0.5 .0.0 Oracle Oracle10g Standard Edition 10.1 .0.4 Oracle Oracle10g Standard Edition 10.1 .0.3.1 Oracle Oracle10g Standard Edition 10.1 .0.3 Oracle Oracle10g Standard Edition 10.1 .0.2 Oracle Oracle10g Standard Edition 9.0.4 .0 Oracle Oracle10g Personal Edition 10.1 .0.4 Oracle Oracle10g Personal Edition 10.1 .0.3.1 Oracle Oracle10g Personal Edition 10.1 .0.3 Oracle Oracle10g Personal Edition 10.1 .0.2 Oracle Oracle10g Personal Edition 9.0.4 .0 Oracle Oracle10g Enterprise Edition 10.1 .0.4 Oracle Oracle10g Enterprise Edition 10.1 .0.3.1 Oracle Oracle10g Enterprise Edition 10.1 .0.3 Oracle Oracle10g Enterprise Edition 10.1 .0.2 Oracle Oracle10g Enterprise Edition 9.0.4 .0 Oracle Oracle10g Application Server 10.1.2 Oracle Oracle10g Application Server 10.1 .0.3.1 Oracle Oracle10g Application Server 10.1 .0.3 Oracle Oracle10g Application Server 10.1 .0.2 Oracle Oracle10g Application Server 9.0.4 .1 Oracle Oracle10g Application Server 9.0.4 .0 |
| Not Vulnerable: | |
Discussion
Oracle Database Multiple SQL Injection Vulnerabilities
Oracle database is reported prone to multiple SQL injection vulnerabilities. These issues exist due to insufficient sanitization of user-supplied data.
These issues can be exploited using malformed PL/SQL statements to pass unauthorized SQL statements to the database. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Some of these issues may have been reported in BID 13139 (Oracle Multiple Vulnerabilities) and addressed by the Oracle Critical Patch Update - April 2005. This cannot be confirmed at the moment.
This BID will be updated and divided into individuals BIDs as more information becomes available.
Oracle database is reported prone to multiple SQL injection vulnerabilities. These issues exist due to insufficient sanitization of user-supplied data.
These issues can be exploited using malformed PL/SQL statements to pass unauthorized SQL statements to the database. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Some of these issues may have been reported in BID 13139 (Oracle Multiple Vulnerabilities) and addressed by the Oracle Critical Patch Update - April 2005. This cannot be confirmed at the moment.
This BID will be updated and divided into individuals BIDs as more information becomes available.
Exploit / POC
Oracle Database Multiple SQL Injection Vulnerabilities
Proof of concept examples are available:
Proof of concept examples are available:
Solution / Fix
Oracle Database Multiple SQL Injection Vulnerabilities
Solution:
Some of these issues may have been addressed by the vendor. Please see the referenced Oracle update for more information. It is reported that a few of these issues have not been patched. Users are advised to contact the vendor for more information.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Some of these issues may have been addressed by the vendor. Please see the referenced Oracle update for more information. It is reported that a few of these issues have not been patched. Users are advised to contact the vendor for more information.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Oracle Database Multiple SQL Injection Vulnerabilities
References:
References:
- Critical Patch Update - April 2005 (Oracle)
- Oracle Homepage (Oracle)