Oracle Database Server ALTER_MANUALLOG_CHANGE_SOURCE SQL Injection Vulnerability
BID:13235
Info
Oracle Database Server ALTER_MANUALLOG_CHANGE_SOURCE SQL Injection Vulnerability
| Bugtraq ID: | 13235 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 12 2005 12:00AM |
| Updated: | Apr 12 2005 12:00AM |
| Credit: | Discovery is credited to Esteban Martinez Fayo. |
| Vulnerable: |
Oracle Oracle10g Standard Edition 10.1 .0.4 Oracle Oracle10g Standard Edition 10.1 .0.3.1 Oracle Oracle10g Standard Edition 10.1 .0.3 Oracle Oracle10g Standard Edition 10.1 .0.2 Oracle Oracle10g Personal Edition 10.1 .0.4 Oracle Oracle10g Personal Edition 10.1 .0.3.1 Oracle Oracle10g Personal Edition 10.1 .0.3 Oracle Oracle10g Personal Edition 10.1 .0.2 Oracle Oracle10g Enterprise Edition 10.1 .0.4 Oracle Oracle10g Enterprise Edition 10.1 .0.3.1 Oracle Oracle10g Enterprise Edition 10.1 .0.3 Oracle Oracle10g Enterprise Edition 10.1 .0.2 |
| Not Vulnerable: | |
Discussion
Oracle Database Server ALTER_MANUALLOG_CHANGE_SOURCE SQL Injection Vulnerability
Oracle Database Server is prone to an SQL injection vulnerability. The issue arises because ALTER_MANUALLOG_CHANGE_SOURCE does not properly validate user input.
This issue was originally disclosed in the "Oracle Critical Patch Update - April 2005" advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory.
Oracle Database Server is prone to an SQL injection vulnerability. The issue arises because ALTER_MANUALLOG_CHANGE_SOURCE does not properly validate user input.
This issue was originally disclosed in the "Oracle Critical Patch Update - April 2005" advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory.
Exploit / POC
Oracle Database Server ALTER_MANUALLOG_CHANGE_SOURCE SQL Injection Vulnerability
An exploit is not required.
An exploit is not required.
Solution / Fix
Oracle Database Server ALTER_MANUALLOG_CHANGE_SOURCE SQL Injection Vulnerability
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address this issue. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update in references.
Pre-Installation Notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address this issue. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update in references.
Pre-Installation Notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1
References
Oracle Database Server ALTER_MANUALLOG_CHANGE_SOURCE SQL Injection Vulnerability
References:
References:
- Critical Patch Update - April 2005 (Oracle)
- OraALTER_MANUALLOG_CHANGE_SOURCEWorkaround.sql (Argeniss)
- Oracle Homepage (Oracle)
- [AppSecInc Team SHATTER Security Advisory] SQL Injection in ALTER_MANUALLOG_CHAN (Team SHATTER