Oracle Workspace Manager LT Package SQL Injection Vulnerability
BID:26098
Info
Oracle Workspace Manager LT Package SQL Injection Vulnerability
| Bugtraq ID: | 26098 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-5511 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 17 2007 12:00AM |
| Updated: | May 07 2015 05:34PM |
| Credit: | David Litchfield of NGSSoftware is credited with the discovery of this vulnerability. |
| Vulnerable: |
Oracle Oracle9i Application Server 9.2 .8 Oracle Oracle10g Standard Edition 10.2 .3 Oracle Oracle10g Standard Edition 10.2 .2 Oracle Oracle10g Standard Edition 10.1 .0.5 Oracle Oracle10g Personal Edition 10.2 .3 Oracle Oracle10g Personal Edition 10.2 .2 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.2 .3 Oracle Oracle10g Enterprise Edition 10.2 .2 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Application Server 10.1.2 .0.1 HP Oracle for OpenView for Linux LTU Service Bureaus 0 HP Oracle for OpenView for Linux LTU 0 HP Oracle for OpenView 9.1.1 HP Oracle for OpenView 8.1.7 HP Oracle for OpenView 9.2 |
| Not Vulnerable: | |
Discussion
Oracle Workspace Manager LT Package SQL Injection Vulnerability
Oracle Workspace Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Successful exploits allow 'PUBLIC' users to gain 'SYS' privileges; other attacks may also be possible.
NOTE: This issue was previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities) but has been given its own BID because further technical details are now available.
Oracle Workspace Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Successful exploits allow 'PUBLIC' users to gain 'SYS' privileges; other attacks may also be possible.
NOTE: This issue was previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities) but has been given its own BID because further technical details are now available.
Exploit / POC
Oracle Workspace Manager LT Package SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
Oracle Workspace Manager LT Package SQL Injection Vulnerability
Solution:
The vendor released an advisory and updates to address this issue. Please see the references for more information.
Solution:
The vendor released an advisory and updates to address this issue. Please see the references for more information.
References
Oracle Workspace Manager LT Package SQL Injection Vulnerability
References:
References: