Oracle interMedia Multiple SQL Injection Vulnerabilities
BID:26101
Info
Oracle interMedia Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 26101 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-5508 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 17 2007 12:00AM |
| Updated: | May 07 2015 05:34PM |
| Credit: | David Litchfield of NGSSoftware is credited with the discovery of this vulnerability. |
| Vulnerable: |
Oracle Oracle9i Application Server 9.2 .8 Oracle Oracle10g Standard Edition 10.2 .3 Oracle Oracle10g Standard Edition 10.2 .2 Oracle Oracle10g Standard Edition 10.1 .0.5 Oracle Oracle10g Personal Edition 10.2 .3 Oracle Oracle10g Personal Edition 10.2 .2 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.2 .3 Oracle Oracle10g Enterprise Edition 10.2 .2 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Application Server 10.1.2 .0.1 HP Oracle for OpenView for Linux LTU Service Bureaus 0 HP Oracle for OpenView for Linux LTU 0 HP Oracle for OpenView 9.1.1 HP Oracle for OpenView 8.1.7 HP Oracle for OpenView 9.2 |
| Not Vulnerable: | |
Discussion
Oracle interMedia Multiple SQL Injection Vulnerabilities
Oracle interMedia is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.
Successful exploits may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
NOTE: These issues were previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities). The issue was given its own BID because further technical details are now available.
Oracle interMedia is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.
Successful exploits may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
NOTE: These issues were previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities). The issue was given its own BID because further technical details are now available.
Exploit / POC
Solution / Fix
Oracle interMedia Multiple SQL Injection Vulnerabilities
Solution:
The vendor released an advisory and updates to address these issues. Please see the references for more information.
Solution:
The vendor released an advisory and updates to address these issues. Please see the references for more information.
References
Oracle interMedia Multiple SQL Injection Vulnerabilities
References:
References:
- Oracle Homepage (Oracle)
- Oracle interMedia Product Page (Oracle)
- HPSBMA02133 SSRT061201 rev.6 - HP Oracle for OpenView (OfO) Critical Patch Updat ([email protected])
- Multiple SQL Injection Flaws in Oracle CTX_DOC package ("NGSSoftware Insight Security Research"
- High Risk Vulnerability in Oracle CTX_DOC (NGSSoftware)
- Oracle Critical Patch Update - October 2007 (Oracle)