Oracle IAS PL/SQL Injection Vulnerabililty
BID:2150
Info
Oracle IAS PL/SQL Injection Vulnerabililty
| Bugtraq ID: | 2150 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 19 2000 12:00AM |
| Updated: | Dec 19 2000 12:00AM |
| Credit: | This vulnerability was first announced by Michal Zalewski <[email protected]> on December 19, 2000. |
| Vulnerable: |
Oracle Internet Application Server 3.0.7 |
| Not Vulnerable: | |
Discussion
Oracle IAS PL/SQL Injection Vulnerabililty
Oracle WebDB is part of the Oracle Internet Application Server package, distributed by Oracle Corporation. A problem exists which can allow users unauthorized access to restricted resources.
The problem occurs in the ability to query a running database using HTTP requests and PL/SQL. By sending a custom crafted query to the HTTPD, it is possible for a remote user to discover sensitive information within the database such as DAD names, type and version of database software, . In addition to discovery of the DAD, it's possible for a remote user to browser through and manipulate data within the running database, and possibly alter the web interface. These problems make it possible for a user with malicious intent to query a database for sensitive information, and further manipulate data within the database itself.
Oracle WebDB is part of the Oracle Internet Application Server package, distributed by Oracle Corporation. A problem exists which can allow users unauthorized access to restricted resources.
The problem occurs in the ability to query a running database using HTTP requests and PL/SQL. By sending a custom crafted query to the HTTPD, it is possible for a remote user to discover sensitive information within the database such as DAD names, type and version of database software, . In addition to discovery of the DAD, it's possible for a remote user to browser through and manipulate data within the running database, and possibly alter the web interface. These problems make it possible for a user with malicious intent to query a database for sensitive information, and further manipulate data within the database itself.
Exploit / POC
Oracle IAS PL/SQL Injection Vulnerabililty
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].